[German]Protagonists are currently celebrating "vibe coding" as the philosopher's stone and a revolution in software development. Developers are no longer needed; everyone lets AI write their code. In Brazil, this trend is showing its ugly face. A popular dating app for lesbian women was developed using vibe coding. What looks like a cool thing is turning into a worst-case scenario for users. The personal data of users could be easily retrieved using a GET command.
What is Vibe Coding?
I double-checked to be sure. According to Wikipedia, vibe coding is the term used to describe a type of software development in which the prompt of a large language model is used almost exclusively to generate the source code required for the software. Vibe coding is described there as a variant of prompt engineering.
The term originates from the above tweet by Andrej Karpathy, co-founder of OpenAI and former head of AI at Tesla. Karpathy writes that the AI-generated code and method are particularly suitable for "disposable weekend projects." Unfortunately, Karpathy's tweet was picked up by the AI-must-be-inclusive bubble and set a trend in the discussion about the state of software development in 2025.
As of March 8, 2025, the Merriam-Webster dictionary defines vibe coding as "writing computer code in a somewhat careless fashion, with AI assistance." In May 2025, t3n picked up on the whole thing in an article entitled Vibe Coding: How AI is revolutionizing programming – and why that can be dangerous. And there is a warning about the risks – a software developer reports that his software is coming under increased attack due to numerous security vulnerabilities.
I'm a little unfamiliar with vibe coding, so I couldn't "set" the term either. But on November 24, 2024, I posted ChatGPT: Scam crypto API in source code proposal damages victims by $2,500 here on the blog. Today, it would go down in history as a vibe coding fail – back then, it was somewhat ridiculed with comments like "who's that stupid?". Now, being stupid is apparently trendy – at least if you look at many AI projects. "Digitization first, concerns second" is the battle cry, garnished with "just do it, it's more awesome than talking about it."
A very experienced and thoughtful developer might be able to benefit from large language models (LLMs) when developing code. However, my hypothesis is that the majority of developers tend to produce crap more quickly, which will come back to haunt us later (or sooner). And those without experience are on the road to disaster with vibe coding.
Vibe Coding Disaster with Dating App for Lesbians
I don't really have much information about it. In Brazil, there was a dating app for lesbian women that was apparently very trendy and quite popular. It must have been a throwaway weekend project at the kitchen table, because the app's code was created using Vibe Coding.
This week, I came across the above tweet, which reveals a drama for users. A simple GET command is enough to retrieve users' personal data (name, phone number, email address, photos, chats, if applicable).
The Record has since expanded on the story in this article with some additional information. It confirms that users encountered the vulnerability and reported on September 8, 2025, that they could access all personal data. One of the discoverers stated that he could download all photos from the app's database, including names, dates of birth, and selfies for identity verification.
Sapphos, the company that developed the app—which it describes as a small, female-led team—stated that no verification documents had been disclosed. However, screenshots posted on social media contradict this initial statement by Sapphos.
The entire history of the incident, as revealed by The Record, is fascinating: In a series of initial statements, the developers at Sapphos initially described the disclosure as an "attempted attack by malicious actors." According to The Record, the developers suggested that this had been orchestrated by a group of men. In other words, they tried to play down the incident and shift the blame onto malicious third parties.
One of the security researchers then explained that his intention had not been to harm users, but to alert the company to the vulnerability, which was classified as an insecure direct object reference (IDOR). The developers later had to admit to a security lapse. They stated that they had filed a report with the Brazilian cybercrime police and promised to relaunch the service with stricter security measures.
Currently, the service that provides the API for the dating app has been taken offline since Tuesday (September 9, 2025). According to the developers, this is "to focus on cybersecurity." It was also stated that the entire user database had been deleted (it's that simple: the database was leaked, so we'll just delete the data).
Around 17,000 users were informed by email that their data had been deleted, and refunds for premium subscriptions of up to 500 Brazilian reais (about $90) were granted.
The developers plan to "restructure everything from the ground up," expand the team, and subject the project to more rigorous security testing before relaunching it. Happy Vibe Coding next?
These are exactly the cases I always warn about. The promise is that any idiot without any knowledge can generate their own software. We will see the disasters that result from this on a daily basis in the future.
And I'm also skeptical that it will work any better for people who know a little bit about software development. Currently, the hype is that new developers are having trouble finding their first jobs. We run the risk of facing a skills gap in a few years.
And the remaining developers will be crushed by the pressure to get as much done as possible and outsource tasks to AI. Added to this is the human tendency to think, "What has been generated must be right, I don't need to check it carefully." That is bound to go wrong.
