"Just Fucking Ship It" (Or: On Vibecoding)
10 months ago
- #privacy
- #app-development
- #security
- Author attended a hackathon where they encountered an AI tutor app called Mentora, which later evolved into a social media app named Pandu.
- Pandu's iOS app was decrypted and analyzed, revealing client-side handling of OpenAI API keys and system prompts.
- Supabase was used as a backend, but misconfigurations allowed unauthorized access to database relations, exposing sensitive user data.
- Exposed data included user profiles, push notification tokens, chat requests, and live geographic locations, raising serious privacy concerns.
- The app's architecture allowed for manipulation, such as sending arbitrary push notifications and accessing private user information.
- Nearly 10,000 users signed up for Pandu, including minors, with their personal data exposed due to poor security practices.
- The creator of Pandu, Christian, was criticized for incompetence and recklessness, with the app posing significant privacy risks.
- Users were urged to stop supporting the app, report it, and remove friends and loved ones from the platform due to its dangers.