[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-why-vibe-coding-is-broken-until-security-comes-first-zh":3,"article-related-why-vibe-coding-is-broken-until-security-comes-first-zh":30,"series-industry-f51b060c-3b90-4d1a-b6b9-3d4caef1138e":81},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":23,"views":27,"created_at":28,"published_at":29,"topic_cluster_id":11},"f51b060c-3b90-4d1a-b6b9-3d4caef1138e","why-vibe-coding-is-broken-until-security-comes-first-zh","為什麼 vibe coding 在安全優先前都不算完成","\u003Cp data-speakable=\"summary\">\u003Ca href=\"\u002Ftag\u002Fvibe-coding\">Vibe coding\u003C\u002Fa> 只要把安全放在最後，就會把快速產生程式碼變成快速擴大風險。\u003C\u002Fp>\u003Cp>我認為 vibe coding 在安全被當成第一需求之前就是壞掉的，因為 Lovable 的一連串事件證明了：沒有控制機制的速度，最後不是效率，而是大規模暴露。\u003C\u002Fp>\u003Cp>Lovable 不是單一失誤。它已經被記錄到三起安全事件，涉及原始碼、資料庫憑證、聊天紀錄與使用者資料外洩，其中最新一個\u003Ca href=\"\u002Fnews\u002Fmcp-flaw-expose-150-million-downloads-zh\">漏洞\u003C\u002Fa>在研究員通報後仍持續開放了 48 天。這不是「邊緣案例」的樣子，而是一種從提示詞到上線都缺少安全預設的產品結構。\u003C\u002Fp>\u003Ch2>第一個論點\u003C\u002Fh2>\u003Cp>這不是偶發 bug，而是結構性失敗。四月有研究員指出，Lovable 的 \u003Ca href=\"\u002Ftag\u002Fapi\">API\u003C\u002Fa> 存在 broken object-level authorization，免費帳號只要五次 API 呼叫就能碰到別人的個人資料、公開專案、原始碼與資料庫憑證。公司雖然修補了新專案，但舊專案仍然暴露，代表問題不只在某個程式碼片段，而在部署模型本身：漏洞被發現後，仍能長時間留在真實客戶環境裡。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778011846801-32g7.png\" alt=\"為什麼 vibe coding 在安全優先前都不算完成\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>二月那起事件更能說明問題不是單點失誤。某個託管在 Lovable 上、在 Discover 頁面有超過 10 萬次瀏覽的應用，竟然藏了 16 個漏洞，其中 6 個是 critical，並外洩 18,697 筆使用者資料。更離譜的是，它的驗證邏輯是反的：匿名使用者能進，登入使用者反而被擋。這不是正常的產品瑕疵，而是生成式開發在「先上線、後理解」時最典型的結果。\u003C\u002Fp>\u003Ch2>第二個論點\u003C\u002Fh2>\u003Cp>Lovable 的危機也揭露了這類產品的商業誘因。公司先否認外洩，再把問題推給文件，再推給 bug bounty 合作夥伴，最後才做出部分道歉。這不只是公關失誤，而是平台把成長敘事放在受害者資料之前的證據。當一份安全回報可以被標成 duplicate 然後關閉，但實際暴露仍然存在，流程本身就已經偏向速度，而不是修復。\u003C\u002Fp>\u003Cp>市場獎勵這種偏差。Lovable 曾在四週內做到 400 萬美元 ARR，兩個月到 1000 萬美元，之後又以 66 億美元估值融資。這種成長會形成殘酷的產品激勵：更快上線、更多註冊、更快變現。安全工作慢、貴、又不顯眼，所以商業成功本身反而成了風險放大器，因為投資人稱讚的東西，正是最難讓團隊踩煞車的東西。\u003C\u002Fp>\u003Ch2>反方可能怎麼說\u003C\u002Fh2>\u003Cp>最強的反對意見是：vibe coding 還很年輕，所有新平台都會經歷硬化期。支持者也會說，Lovable 不是唯一出問題的地方。整個產業的 AI 生成程式碼都被發現有相當高比例的漏洞，傳統軟體團隊也常常犯 access control、secret 外洩、資料庫設定錯誤這些老問題。照這個看法，Lovable 只是更顯眼的案例，不足以證明 vibe coding 本身沒有未來。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778011857419-1emq.png\" alt=\"為什麼 vibe coding 在安全優先前都不算完成\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>這個說法有一部分是對的：這個類別不會消失，也不必因為早期事故就被判死刑。問題在於，平台是否能讓非專業使用者建立 production system，卻不把安全強制寫進流程。Lovable 的案例顯示它現在做不到。若平台能外洩憑證、讓舊專案持續暴露、還能把安全回報草率關掉，那責任就不能只丟給根本沒被提供足夠工具的使用者。\u003C\u002Fp>\u003Ch2>你能做什麼\u003C\u002Fh2>\u003Cp>如果你是工程師，不要把 vibe-coded 輸出當成之後再修的草稿，先把 auth\u003Ca href=\"\u002Fnews\u002Fwhy-hermes-agent-belongs-on-cloud-server-zh\">ent\u003C\u002Fa>ication、row-level sec\u003Ca href=\"\u002Fnews\u002Fwhy-cursor-composer-2-matters-more-than-hype-zh\">ur\u003C\u002Fa>ity、secret scanning、dependency check 放進第一道審查，不要放到最後。如果你是 PM 或創辦人，不要用「多久能上線」當主要指標，改看產品在上線前消掉了多少不安全預設。如果你在採購或批准這類工具，要求獨立安全測試、事故揭露規則，以及任何暴露憑證或關閉存取控制的應用都不得上線。這個類別一定會繼續長大，真正的問題是，你的團隊要不要等別人的外洩事件來替你上課。\u003C\u002Fp>","Vibe coding 不是先求快再補洞的產品類別；只要安全不是預設，像 Lovable 這類平台就會把低門檻開發變成高風險上線。","thenextweb.com","https:\u002F\u002Fthenextweb.com\u002Fnews\u002Flovable-vibe-coding-security-crisis-exposed",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778011846801-32g7.png","industry","zh","93b08b81-e13b-43fc-89b8-64a5ca8567e1",[17,18,19,20,21,22],"vibe coding","Lovable","應用安全","安全優先","AI 生成程式碼","產品風險",[24,25,26],"Vibe coding 若沒有安全預設，就會把低門檻開發變成高風險上線。","Lovable 的多起事件顯示問題是結構性的，不是單一漏洞。","工程、產品與採購都應把安全檢查前移到第一道流程。",2,"2026-05-05T20:10:23.979566+00:00","2026-05-05T20:10:23.75+00:00",{"tags":31,"relatedLang":40,"relatedPosts":44},[32,34,36,37,39],{"name":21,"slug":33},"ai-生成程式碼",{"name":18,"slug":35},"lovable",{"name":20,"slug":20},{"name":17,"slug":38},"vibe-coding",{"name":19,"slug":19},{"id":15,"slug":41,"title":42,"language":43},"why-vibe-coding-is-broken-until-security-comes-first-en","Why vibe coding is broken until security comes first","en",[45,51,57,63,69,75],{"id":46,"slug":47,"title":48,"cover_image":49,"image_url":49,"created_at":50,"category":13},"35e635cf-98d8-448e-9ea8-80d184c256da","5-ways-windsurfapi-speaks-openai-and-anthropic-zh","5 種 WindsurfAPI 對接方式","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780649271709-6mbt.png","2026-06-05T08:47:23.298991+00:00",{"id":52,"slug":53,"title":54,"cover_image":55,"image_url":55,"created_at":56,"category":13},"94a30499-e861-4b18-aa6a-0a25a242c326","wei-shen-me-gpu-rong-zi-cai-shi-ai-zhen-zheng-de-hu-cheng-he-zh","為什麼 GPU 融資才是 AI 真正的護城河","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780644777525-vzu4.png","2026-06-05T07:32:26.646427+00:00",{"id":58,"slug":59,"title":60,"cover_image":61,"image_url":61,"created_at":62,"category":13},"46343e05-8f4f-4075-b833-44c344733bdd","big-tech-borrowing-to-pay-for-ai-buildout-zh","大科技借債蓋 AI 基礎設施","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780643874201-w9n0.png","2026-06-05T07:17:28.823209+00:00",{"id":64,"slug":65,"title":66,"cover_image":67,"image_url":67,"created_at":68,"category":13},"83201687-4728-44c1-9a7d-a1dded1f5148","5-stock-market-views-for-2024-zh","5 個 2024 中國股市觀點","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780641172925-ah9z.png","2026-06-05T06:32:25.511054+00:00",{"id":70,"slug":71,"title":72,"cover_image":73,"image_url":73,"created_at":74,"category":13},"fb23d68a-15b5-431e-b30c-3d7803a75f84","4-reasons-agnes-ai-free-full-modal-api-zh","4 個理由 Agnes AI 免費全模態 API 值得試","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780640279493-7y86.png","2026-06-05T06:17:26.69352+00:00",{"id":76,"slug":77,"title":78,"cover_image":79,"image_url":79,"created_at":80,"category":13},"7e0f06f6-aa23-4151-8a9e-2f971236b411","mistral-ai-14b-valuation-open-weight-models-zh","Mistral AI 估值衝上 140 億美元","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780634885237-y84d.png","2026-06-05T04:47:38.563903+00:00",[82,87,92,97,102,107,112,117,122,127],{"id":83,"slug":84,"title":85,"created_at":86},"ee073da7-28b3-4752-a319-5a501459fb87","ai-in-2026-what-actually-matters-now-zh","2026 AI 真正重要的事","2026-03-26T07:09:12.008134+00:00",{"id":88,"slug":89,"title":90,"created_at":91},"83bd1795-8548-44c9-9a7e-de50a0923f71","trump-ai-framework-power-speech-state-preemption-zh","川普 AI 框架瞄準電力、言論與州權","2026-03-26T07:12:18.695466+00:00",{"id":93,"slug":94,"title":95,"created_at":96},"ea6be18b-c903-4e54-97b7-5f7447a612e0","nvidia-gtc-2026-big-ai-announcements-zh","NVIDIA GTC 2026 重點拆解","2026-03-26T07:14:26.62638+00:00",{"id":98,"slug":99,"title":100,"created_at":101},"4bcec76f-4c36-4daa-909f-54cd702f7c93","claude-users-spreading-out-and-getting-better-zh","Claude 用戶更分散，也更會用","2026-03-26T07:22:52.325888+00:00",{"id":103,"slug":104,"title":105,"created_at":106},"bd903b15-2473-4178-9789-b7557816e535","openclaw-raises-hard-question-for-ai-models-zh","OpenClaw 逼問 AI 模型價值","2026-03-26T07:24:54.707486+00:00",{"id":108,"slug":109,"title":110,"created_at":111},"eeac6b9e-ad9d-4831-8eec-8bba3f9bca6a","gap-google-gemini-checkout-fashion-search-zh","Gap 把結帳搬進 Gemini","2026-03-26T07:28:23.937768+00:00",{"id":113,"slug":114,"title":115,"created_at":116},"0740e53f-605d-4d57-8601-c10beb126f3c","google-pushes-gemini-transition-to-march-2026-zh","Google 把 Gemini 轉換延到 2026 年 3…","2026-03-26T07:30:12.825269+00:00",{"id":118,"slug":119,"title":120,"created_at":121},"e660d801-2421-4529-8fa9-86b82b066990","metas-llama-4-benchmark-scandal-gets-worse-zh","Meta Llama 4 分數風波又擴大","2026-03-26T07:34:21.156421+00:00",{"id":123,"slug":124,"title":125,"created_at":126},"183f9e7c-e143-40bb-a6d5-67ba84a3a8bc","accenture-mistral-ai-sovereign-enterprise-deal-zh","Accenture 攜手 Mistral AI 賣主權 AI","2026-03-26T07:38:14.818906+00:00",{"id":128,"slug":129,"title":130,"created_at":131},"191d9b1b-768a-478c-978c-dd7431a38149","mistral-ai-faces-its-hardest-year-yet-zh","Mistral AI 迎來最硬的一年","2026-03-26T07:40:23.716374+00:00"]