An AI Vibe Coding Horror Story | 海外技术热榜 | 海外技术热榜本文翻译自Hacker

An AI Vibe Coding Horror Story | 海外技术热榜

原文链接

🔗 An AI Vibe Coding Horror Story

翻译说明

本文翻译自Hacker News最新热门技术文章，内容仅供学习参考，版权归原作者所有。

完整翻译内容

[Tobias Brunner aka tobru] [Tobias Brunner aka tobru]

Menu toggle button

Home ✩
Tech [EN]
Reisen [DE]
About
More
- Newsletter
- About the Newsletter
- tobru
Sign in
Sign Up

An AI Vibe Coding Horror Story

[Tobias Brunner] Tobias Brunner

Mar 28, 2026 2 min read

[An AI Vibe Coding Horror Story]

And so it happened, my first real-world AI vibe coding horror story, one that affected me personally. --> Deutsche version

I went to a medical appointment and was greeted by a friendly person. Shortly after the warm welcome, they mentioned watching a video explaining how easy it is for anyone to build software with AI these days. That sparked an idea: why use an industry-proven solution when you could just build your own patient management system?

So they did exactly that. They fired up a coding agent, built a custom patient management application, imported all their existing patient data into it, and published it to the internet. They even added a feature to record conversations during appointments and send the audio to not one, but two AI services for automatic summaries. No more manual note-taking.

Everything that could go wrong, did go wrong.

A few days later, I started poking around the application. Thirty minutes in, I had full read and write access to all patient data. Everything was unencrypted and completely exposed to the open internet. My first move was to notify the person immediately. The response I got was 100% AI-generated, thanking me warmly for reporting it and assuring me they had taken immediate action by adding basic authentication and rotating some access keys.

This person had no idea what they had built, or what the consequences could be. The data wasn't just wide open: it was stored on a US server without a Data Processing Agreement, voice recordings were being sent to major US-based AI companies, and I had never been informed any of this was happening. That is not how medical patient data can be h | 翻译自海外技术热榜andled. They almost certainly violated multiple provisions of the nDSG law and potentially professional secrecy laws (Berufsgeheimnis) as well, though I'm not a lawyer.

Technical Background

The entire application was a single HTML file with all JavaScript, CSS, and structure written inline. The backend was a managed database service with zero access control configured, no row-level security, nothing. All "access control" logic lived in the JavaScript on the client side, meaning the data was literally one curl command away from anyone who looked.

All audio recordings were sent directly to external AI APIs for transcription and summarization.

There was more, but this is already enough to get the idea.

Outlook

That's not the AI future I'm looking forward to. Personally, I'm using AI coding agents as well, but I'm able to understand what's happening, can read the code and have an idea of software architecture. Anyone just vibing away clearly won't give us a happy future.

Tech AI

Share this article:

The link has been Copied to clipboard!

[Tobias Brunner]

Tobias Brunner

[Eine KI Vibe Coding Horrorgeschichte]

Older article

Eine KI Vibe Coding Horrorgeschichte

Mar 28, 2026 2 min read