Cloud security company Wiz discovered a critical flaw in Wix’s Base44 vibe coding platform that enabled attackers to bypass authentication and gain access to private enterprise applications. The relative simplicity of finding what should have been a secret app ID number, and using it to gain access, made the vulnerability a serious concern.
Exposed Sensitive Identification Number
An apparently randomly generated identification number, called an app_id, was embedded in public-facing paths such as the application URL and the manifest.json file. Attackers could use that data to generate a verified account, even when user registration was disabled. This bypassed the platform’s access controls, including Single Sign-On (SSO), which many organizations use for enterprise security.
The Wiz security report notes how easy it was to find the sensitive app_id numbers:
“When we navigate to any application developed on top of Base44, the app_id is immediately visible in the URI and manifest.json file path, all applications have their app_ids value hardcoded in their manifest path: manifests/{app_id}/manifest.json.”
Creating A Rogue Account Was Relatively Trivial
The vulnerability did not require privileged access or deep technical expertise. Once an attacker identified a valid app_id, they could use tools like the open source Swagger-UI to register a new account, receive a one-time password (OTP) via email, and verify the account without restriction.
From there, logging in through the application’s SSO flow granted full access to internal systems, despite the original access being restricted to specific users or teams. This process exposed a serious flaw in the platform’s assumption that the app_id would not be tampered with or reused externally.
Authentication Flaw Risked Exposure of Sensitive Data
Many of the affected apps were built using the popular Base44 vibe coding platform for internal use, supporting operations such as HR, chatbots, and knowledge bases. These systems contained personally identifiable information (PII) and were used for HR operations. The exploit enabled attackers to bypass identity controls and access private enterprise applications, potentially exposing sensitive data.
Wix Fixes Flaw Within 24 Hours
The cloud security company discovered the flaw by using a methodical process of examining public information for potential weak points, eventually culminating in finding the exposed app_id numbers, and from there creating the workflow for generating access to accounts. They next contacted Wix, which immediately fixed the issue.
According to the report published by the security company, there is no evidence that the flaw was exploited, and the vulnerability has been fully addressed.
Threat To Entire Ecosystems
The Wiz security report noted that the practice of vibe coding is proceeding at a rapid pace and with not enough time to address potential security issues, expressing the opinion that it creates “systemic risks” not just to individual apps but to “entire ecosystems.”
Why Did This Security Incident Happen?
Wix States It Is Proactive On Security
The report published a statement from Wix that states that they are proactive about security:
“We continue to invest heavily in strengthening the security of all products and potential vulnerabilities are proactively managed. We remain committed to protecting our users and their data.”
Security Company Says Discovery Of Flaw Was Simple
The report by Wiz describes the discovery as a relatively simple matter, explaining that they used “straightforward reconnaissance techniques,” including “passive and active discovery of subdomains,” which are widely accessible methods.
The security report explained that exploiting the flaw was simple:
“What made this vulnerability particularly concerning was its simplicity – requiring only basic API knowledge to exploit. This low barrier to entry meant that attackers could systematically compromise multiple applications across the platform with minimal technical sophistication.”
The existence of that report, in itself, raises the concern that if discovering the issue was “straightforward” and exploiting it had a “low barrier to entry,” how is it that Wix was proactive and yet this was not discovered?
- If they had used a third-party security testing company, why hadn’t they discovered the publicly available app_id numbers?
- The manifest.json exposure is trivial to detect. Why hadn’t that been flagged by a security audit?
The contradiction between a simple discovery/exploit process and Wix’s claimed proactive security posture raises a reasonable doubt about the thoroughness or effectiveness of their proactive measures.
Takeaways:
- Simple Discovery and Exploitation:
The vulnerability could be found and exploited using basic tools and publicly available information, with no need for advanced skills or insider access. - Bypassing Enterprise Controls:
Attackers could gain full access to internal apps despite controls like disabled registration and SSO-based identity restrictions. - Systemic Risk from Vibe Coding:
Wiz warns that fast-paced vibe coding platforms may introduce widespread security risks across application ecosystems. - Discrepancy Between Claims and Reality:
The ease of exploitation contrasts with Wix’s claims of proactive security, prompting questions about the thoroughness of their security audits.
Wiz discovered that Wix’s Base44 vibe coding platform exposed a critical vulnerability that could have enabled attackers to bypass authentication and access internal enterprise applications. The security company that discovered the flaw expressed the opinion that this incident highlights potential risks of insufficient security considerations, which can put entire ecosystems at risk.
Read the original report:
Featured Image by Shutterstock/mailcaroline