A vulnerability was exploited on the drawing sharing site 'DrawAFish.com' developed with generative AI vibe coding, what lessons were learned?

A security incident occurred on DrawAFish.com , a website for drawing and sharing pictures of fish. The incident occurred shortly after DrawAFish.com gained attention by becoming number one on the social news site Hacker News.

DrawAFish.com Postmortem — Aug 3, 2025 Incident - Alden Hallak
https://aldenhallak.com/blog/posts/draw-a-fish-postmortem.html

As the name suggests, DrawAFish.com is a website where you can see fish drawings by people all over the world swimming in an aquarium.

The incident lasted for approximately six hours, from 2:00 AM to 8:00 AM Eastern Time on August 3. Specifically, all usernames were rewritten with hate speech and other offensive language, offensive fish images were approved, and beautiful fish images drawn by users were deleted.

The first reason is that an old administrator password that had previously been leaked in a data breach was used. When the developer of DrawAFish.com created it, he had set a username and six-digit password he used as a child for testing purposes. This password had previously been leaked from another site.

The developer then switched to logging in with Google authentication, completely forgetting that this password/username combination was still on the system. The attacker discovered the leaked password and was able to log into the site as an administrator.

The second cause was the lack of an authentication function in the API for changing usernames. This function was added hastily in the final stages of development, and the developers forgot about it, thinking they would review it later. As a result, no authentication such as identity verification was performed when changing usernames, and anyone could change the ID of any user.

The third cause was that the JSON Web Token (JWT) used for login authentication was not associated with a specific user. DrawAFish.com used a JWT to allow logins, but neglected to verify that the JWT belonged to the user making the request. This allowed an attacker to first log in using a leaked administrator password to obtain the administrator's JWT, then attach that JWT to their own requests, allowing them to impersonate the administrator and perform unauthorized operations.

The developer noticed the problem around 7:45 AM and began work to fix the issue. However, the configured backups did not function properly. Meanwhile, another user who noticed the JWT vulnerability exploited the vulnerability by logging in as an administrator and helping delete the inappropriate fish image approved by the attacker. The developer then contacted the user and received help with fixing the code.

The developer reflected on this incident, blaming his own development style. The site was developed using vibe coding, with extensive use of AI tools such as Copilot, but he admitted that he neglected code review, testing, and security measures during the process. The developer concluded that LLM was merely a tool, and that the developer himself was responsible for reviewing the generated code and was ultimately responsible for it.