AI-Generated Code Riddled with Critical Vulnerabilities
A security researcher scanned 100 real-world apps built using the AI-powered Cursor tool and found that 67% had at least one critical vulnerability, including IDOR, inverted authentication, and hardcoded secrets.
Why it matters
This research highlights the critical security risks associated with AI-generated code, which is increasingly being used in real-world applications.
Key Points
- 167% of the 100 Cursor-built apps had at least one critical vulnerability
- 2The most common issue was Insecure Direct Object Reference (IDOR), affecting 43% of apps
- 331% of apps had their authentication middleware inverted, allowing anyone without a session to access protected routes
- 422% of apps had hardcoded secrets exposed in the codebase
Details
The researcher, who has been building a security scanner for AI-generated code called ShipSafe, decided to test the quality of Cursor-built applications. They scanned 100 real-world Cursor-built repos, including SaaS tools, internal dashboards, and e-commerce stores, and found that 67% had at least one critical vulnerability. The average number of issues per app was 3.2, with the worst app having 14 separate problems. The most common vulnerability was IDOR, where the API route would fetch data based solely on the ID in the URL without any access control checks. Another major issue was inverted authentication, where the middleware would redirect logged-in users to the login page while allowing anyone without a session to access protected routes. The researcher also found instances of hardcoded secrets being exposed in the codebase. These findings align with previous research from Stanford that found around 45% of AI-assisted code has vulnerabilities, though the researcher's numbers are worse likely due to the focus on production apps rather than a lab setup.
No comments yet
Be the first to comment