The vibe-coding revolution has a security problem. Bob Starr, a tech project manager, shipped his AI-generated website Boomberg live to the internet without realizing it contained a critical SQL injection vulnerability that could’ve exposed sensitive data for months. It’s a warning shot for the growing number of developers using AI tools to write code they don’t fully understand – and the security blindspots that come with it.

Bob Starr thought he’d cracked the code. His AI-generated website Boomberg – designed to track how much US tax money flows to tech companies – went from concept to live deployment in record time. The thrill of vibe-coding, where developers use AI to generate entire applications through conversational prompts, made building software feel almost effortless.

But months after launch, Starr discovered something that made his stomach drop. Hidden in the AI-generated code was a SQL injection vulnerability, one of the most common and dangerous security flaws in web development. An attacker could’ve potentially read or manipulated database information they had no business accessing.

“It was just a glaring oversight on my part,” Starr told The Verge. “It was a complete blindspot in my state of learning this new technology and understanding it, and I’m sure there are others making the same mistake.”

Starr’s admission cuts to the heart of a growing concern in the developer community. As AI coding tools from OpenAI, Microsoft‘s GitHub Copilot, and Google‘s offerings make it easier than ever to generate functional code, they’re also creating a new class of developers who ship applications without fully understanding what’s under the hood.

The SQL injection flaw Starr discovered represents one of the oldest tricks in the attacker’s playbook. According to the OWASP Top 10 – the industry standard for web application security risks – injection vulnerabilities have plagued applications for decades. But in the age of AI-generated code, these ancient security holes are finding new life.

What makes vibe-coding particularly risky is the confidence gap it creates. The code works, it looks professional, and it ships fast. For someone like Starr, a project manager with technical knowledge but not deep security expertise, the AI-generated output felt production-ready. There was no obvious red flag, no error message, no warning that something critical was missing.

The problem isn’t unique to one person or one project. As AI coding assistants have exploded in popularity over the past two years, security researchers have started flagging concerns about the quality and security of machine-generated code. While these tools excel at producing functional syntax and solving common programming challenges, they don’t consistently apply security best practices or account for edge cases that could create vulnerabilities.

Starr’s experience with Boomberg reveals how easy it is for these blindspots to slip through. He had the technical chops to build and deploy a website, enough knowledge to feel confident in his work, but not quite enough security awareness to catch a vulnerability that might’ve been obvious to a seasoned developer or security professional.

The incident also highlights a broader tension in the industry. AI coding tools promise to democratize software development, letting more people build applications without years of formal training. But security has always been one of the harder aspects of development to master – it requires not just knowing how to make code work, but understanding all the ways it could break or be exploited.

For Starr, the discovery came through continued learning about the technology stack he’d used. As he dug deeper into how the components worked together, the vulnerability became visible. But how many other vibe-coded projects are sitting in production right now with similar issues, waiting to be discovered by their creators – or worse, by malicious actors?

The challenge for the industry is figuring out how to maintain the speed and accessibility benefits of AI-generated code while building in better security guardrails. Some companies are already working on AI tools that specifically scan for vulnerabilities, but they’re playing catch-up to the coding assistants that have already reshaped how millions of developers work.

Starr’s willingness to share his mistake publicly is rare in an industry that often keeps security incidents quiet. His hope is that other developers learning to vibe-code will take the extra step he initially skipped – validating that AI-generated code is not just functional, but secure.

The vibe-coding era is here, and it’s not going away. AI tools have made building software faster and more accessible than ever before. But Starr’s experience with Boomberg serves as a critical reminder that speed and accessibility don’t automatically equal security. As more developers – experienced and new alike – lean on AI to generate code, the industry needs to develop better practices for validating that what works is also what’s safe. The alternative is a web full of functional applications hiding dangerous vulnerabilities, waiting for someone to notice.