Ethical Hacking News
A critical security flaw has been discovered in Base44, a popular AI-powered vibe coding platform, which could allow unauthorized access to private applications built using the platform. The vulnerability was responsibly disclosed on July 9, 2025, and patched within 24 hours. This discovery underscores the importance of robust security measures when using AI tools in enterprise environments.
Wiz discovered a critical security flaw in the Base44 AI-powered coding platform. The vulnerability allowed unauthorized access to sensitive data and applications, posing significant risks. The misconfiguration left two authentication-related endpoints exposed without restrictions. Attackers could register for private applications using only an "app_id" value and gain full access to them. The vulnerability was patched by Wix within 24 hours of responsible disclosure. The discovery highlights the importance of robust security measures when using AI-powered coding platforms.
In a recent disclosure, cloud security firm Wiz has identified a critical security flaw in a popular AI-powered vibe coding platform called Base44. This vulnerability, which was responsibly disclosed on July 9, 2025, poses significant risks to the private applications built using this platform, as it allows unauthorized access to sensitive data and applications.
The base44 platform is designed to generate code for applications by providing a text prompt, leveraging artificial intelligence (AI) and machine learning capabilities. This AI-driven approach enables users to create functional applications with minimal programming expertise, making it an attractive option for developers and enterprises alike. However, the recent findings have highlighted a significant security shortcoming in this platform.
According to Wiz's report, the vulnerability was discovered by cloud security researchers who identified a misconfiguration in Base44 that left two authentication-related endpoints exposed without any restrictions. These endpoints, designated as `api/apps/{app_id}/auth/register` and `api/apps/{app_id}/auth/verify-otp`, were accessible using only an "app_id" value as input. The "app_id" is not a secret and is visible in the app's URL and manifest.json file path.
This misconfiguration allowed attackers to register for private applications using only an "app_id" value, thereby gaining access to an application they didn't own in the first place. After registering, the attacker could login via Single Sign-On (SSO) within the application page, successfully bypassing authentication controls and gaining full access to all the private applications and data contained within them.
The vulnerability was subsequently patched by Wix, the owner of Base44, within 24 hours of responsible disclosure on July 9, 2025. There is no evidence that this issue was ever maliciously exploited in the wild.
The discovery of this critical flaw in Base44 highlights a broader emerging attack surface associated with AI tools in enterprise environments. These platforms are increasingly being adopted by organizations to streamline development processes and improve productivity. However, their growing adoption has also led to concerns about security, as attackers continue to exploit vulnerabilities in these systems.
The recent findings underscore the importance of robust security measures when using AI-powered coding platforms. As AI technology continues to evolve at an unprecedented pace, it is crucial that developers and organizations prioritize security from the outset. This includes implementing strict access controls, validating user inputs, and ensuring that authentication mechanisms are properly configured.
Moreover, the discovery of this vulnerability highlights the need for more comprehensive security testing and validation procedures when using AI-powered tools. As seen in the recent case with Base44, vulnerabilities can arise from seemingly innocuous misconfigurations or oversights in the platform's design.
The security landscape is rapidly evolving, with new threats emerging regularly. In response to these challenges, organizations must invest in robust cybersecurity measures, including regular security audits, penetration testing, and vulnerability assessments.
In conclusion, the recent discovery of a critical flaw in Base44 highlights the importance of prioritizing security when using AI-powered coding platforms. As AI technology continues to grow in prominence, it is essential that developers, organizations, and security experts work together to identify and address vulnerabilities before they can be exploited by malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-AI-Powered-Vibe-Coding-Platform-Base44-Allows-Unauthorized-Access-to-Private-Applications-ehn.shtml
https://thehackernews.com/2025/07/wiz-uncovers-critical-access-bypass.html
Published: Tue Jul 29 14:42:14 2025 by llama3.2 3B Q4_K_M
