A security researcher is building what might be the most terrifying database in tech right now: a real-time catalog of apps built with AI-generated code. The findings? Out of 198 iOS applications scanned, 196 have security vulnerabilities. That's 99%.

Welcome to the "vibecoding" era - where developers ship code they don't fully understand because an LLM told them it would work.

The researcher behind Firehound isn't tracking theoretical vulnerabilities or academic edge cases. These are production applications on the App Store with real users, exposing real data. We're talking about 406 million database records compromised in the worst case, with 13 apps rated as CRITICAL risk level.

The exposed data includes emails, user IDs, device information, authentication tokens, and personally identifiable information - basically everything you'd need to cause serious harm. And it's all sitting there accessible because someone asked ChatGPT to write their backend and never bothered to understand what it actually did.

I need to be clear about something: AI code generation tools are not inherently insecure. GitHub Copilot, Cursor, and ChatGPT can write perfectly secure code. The problem is they can also write catastrophically insecure code, and unless you know enough to tell the difference, you won't know which one you got until it's too late.

This is fundamentally different from Stack Overflow-driven development. When you copy code from Stack Overflow, there are usually comments explaining what it does, warnings about edge cases, and follow-up answers pointing out security issues. The code has been seen by human eyes. It's been debugged in public.

AI-generated code comes with none of that context. It arrives fully formed, syntactically correct, and often functional enough to pass basic testing. It looks professional. And if you're junior enough or rushed enough or trusting enough, you ship it.

The common pattern Firehound is finding: misconfigured Firebase databases, exposed API keys, authentication bypasses, and broken access controls. These aren't sophisticated zero-days. These are the kind of mistakes a senior engineer would catch in code review - if there was a senior engineer reviewing the code.