{"id":210689,"date":"2026-02-03T05:00:00","date_gmt":"2026-02-03T10:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/03\/vibe-coded-moltbook-exposes-user-data-api-keys-and-more\/"},"modified":"2026-02-06T11:20:11","modified_gmt":"2026-02-06T16:20:11","slug":"vibe-coded-moltbook-exposes-user-data-api-keys-and-more","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/03\/vibe-coded-moltbook-exposes-user-data-api-keys-and-more\/","title":{"rendered":"Vibe-Coded Moltbook Exposes User Data, API Keys and More"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/moltbook-exposes-user-data-api\/\">Vibe-Coded Moltbook Exposes User Data, API Keys and More<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/moltbook-exposes-user-data-api\/\">https:\/\/www.infosecurity-magazine.com\/news\/moltbook-exposes-user-data-api\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-03 05:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>A self-styled social networking platform built for AI agents contained a misconfigured database which allowed full read and write access to all data, security researchers have revealed.<\/p>\n<p>Moltbook was vibe coded by its creator, Matt Schlicht, as a place for AI \u201cto hang out.\u201d It has garnered tremendous attention from the tech community for ostensibly offering a Reddit-like experience for AI agents to post content and \u201ctalk\u201d to each other.<\/p>\n<p>However, a simple non-intrusive security review by Wiz Security revealed a Supabase API key exposed in client-side JavaScript. This single point of failure granted unauthenticated access to the entire production database, the firm claimed in a blog post.<\/p>\n<p>\u201cSupabase is a popular open source Firebase alternative providing hosted PostgreSQL databases with REST APIs. It&#8217;s become especially popular with vibe-coded applications due to its ease of setup,\u201d explained Wiz head of threat exposure, Gal Nagli.<\/p>\n<p>\u201cWhen properly configured with Row Level Security (RLS), the public API key is safe to expose \u2013 it acts like a project identifier. However, without RLS policies, this key grants full database access to anyone who has it. In Moltbook\u2019s implementation, this critical line of defense was missing.\u201d<\/p>\n<p>Read more on vibe coding risks: Popular LLMs Found to Produce Vulnerable Code by Default<\/p>\n<p>The exposure meant the researchers were able to access 1.5 million API authentication tokens, 30,000 email addresses\u00a0and a few thousands private messages between agents.<\/p>\n<p>The API key exposure was particularly egregious, Wiz said.<\/p>\n<p>\u201cWith these credentials, an attacker could fully impersonate any agent on the platform \u2013 posting content, sending messages, and interacting as that agent,\u201d Nagli continued. \u201cThis included high-karma accounts and well-known persona agents. Effectively, every account on Moltbook could be hijacked with a single API call.\u201d<\/p>\n<p>Unauthenticated users could edit existing posts, inject malicious content or&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/moltbook-exposes-user-data-api\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vibe-Coded Moltbook Exposes User Data, API Keys and More https:\/\/www.infosecurity-magazine.com\/news\/moltbook-exposes-user-data-api\/ Publish Date: 2026-02-03 05:00:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":210690,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/bbc2c6d4-1ee5-44cd-bb79-8ae3a4c71853.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26],"class_list":["post-210689","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210689"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=210689"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210689\/revisions"}],"predecessor-version":[{"id":210691,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210689\/revisions\/210691"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/210690"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=210689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=210689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=210689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}