Bob Starr, a project manager in the tech sector, built and shipped a website called Boomberg — a tool that maps how much US tax money flows to tech companies — and pushed it live almost immediately after writing it. Months passed before Starr discovered the site carried a SQL injection vulnerability that could have let an attacker read or alter data they had no business touching.
The Flaw That Slipped Through
SQL injection is one of the oldest and best-documented attack classes in web security. A successful exploit allows a malicious actor to manipulate database queries by inserting unauthorized commands through user-facing inputs — in practice, that means reading private records, modifying stored data, or, depending on configuration, escalating further into a system. Starr's Boomberg site was exposed to exactly that risk for the duration it sat unaudited.
Starr described the gap plainly: it was a glaring oversight, a complete blind spot in his understanding of the technology he was using. He was direct that he expected others building with AI-assisted tools were making the same mistake.
What Vibe-Coding Skips
The Boomberg case crystallizes a structural problem with the current generation of AI-assisted development — commonly called vibe-coding — in which a developer describes intent and lets a language model generate the implementation. The workflow compresses the time between idea and deployment dramatically, but it does not compress the attack surface. Security review, threat modeling, and input validation are disciplines that sit outside the generation loop. If the developer does not know to ask for them, the model will not volunteer them.
Starr was not a novice acting recklessly; he is a professional in the tech sector who built something with clear public-interest value. The vulnerability was not visible to him because his mental model of the technology had not yet incorporated the security layer — a gap that is common precisely because vibe-coding tools market themselves on speed and accessibility, not on secure-by-default output.
The Second-Order Risk
The broader concern is one of scale. Vibe-coded applications are proliferating across the internet, many of them built by people whose primary skill set is domain expertise rather than software engineering. A project manager who wants to visualize government spending data should be able to build that tool — but the distribution of that capability, absent any corresponding distribution of security literacy, produces a long tail of publicly accessible applications carrying unreviewed vulnerabilities.
Starr's Boomberg site surfaced the issue before anything was exploited. Many will not be that fortunate. For developers shipping AI-generated code to production, the minimum viable security posture now includes a deliberate audit pass — specifically for injection flaws, authentication gaps, and data exposure — that vibe-coding tools do not yet provide automatically.