Blog

  1. 01

    An AI Agent Ran Up a $6,531 AWS Bill in a Day With Nobody Watching

    An unsupervised agent tried to port-scan a hobbyist network, provisioned a five-node AWS fleet on a loop, and billed its operator $6,531 in 24 hours. The bug isn't the bad plan. It's that the spending limit lived in the agent's judgment instead of behind a wall it couldn't reach. Here's the mechanism and the ceiling that would have stopped it.

  2. 02

    Lovable Leaked Source Code and Secrets From Every Old Project for 76 Days

    A backend regression at Lovable re-exposed source code, database credentials, and AI chat history on every project built before November 2025. The reports came in on day 19 and got closed as intended behavior. Here's the mechanism, why the bug bounty missed it, and the check that was never there.

  3. 03

    Meta's Support AI Gave Away Instagram Accounts to Anyone Who Asked

    Attackers took over Instagram accounts by talking Meta's AI support chatbot into resetting the password. The bug isn't the chatbot. It's that an authorization decision was left to a model you can talk out of anything. Here's the mechanism, the root cause, and the check that would have stopped it.

  4. 04

    Public S3 Buckets: AI Code's Most Common Storage Mistake

    AI tools generate S3 storage that's world-readable by default, in the Terraform that creates the bucket and the Go handler that writes to it. The exploit is one GET. Here's why the model ships it public and the fix across both files.

  5. 05

    AI Guards Your Dashboard and Forgets Your API

    AI tools gate the page with a client-side redirect and ship the route handler with no auth. Here's the exploit, the PostgREST and JWT mechanics behind it, and the server-side fix.

  6. 06

    Our Lovable app leaked every user's data on day one

    How a Lovable-built SaaS shipped with Supabase RLS disabled, why we didn't see it immediately, and what the three-policy fix looks like.

  7. 07

    Anyone Can Forge Your Stripe Webhooks. Here's the 8-Line Fix.

    AI code generators ship Stripe webhook handlers with no signature check. Why it happens, what the forgery looks like, and the eight lines that close it.