[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-why-vibe-coding-is-broken-until-security-comes-first-zh":3,"tags-why-vibe-coding-is-broken-until-security-comes-first-zh":35,"related-lang-why-vibe-coding-is-broken-until-security-comes-first-zh":44,"related-posts-why-vibe-coding-is-broken-until-security-comes-first-zh":48,"series-industry-f51b060c-3b90-4d1a-b6b9-3d4caef1138e":85},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":19,"translated_content":10,"views":20,"is_premium":21,"created_at":22,"updated_at":22,"cover_image":11,"published_at":23,"rewrite_status":24,"rewrite_error":10,"rewritten_from_id":25,"slug":26,"category":27,"related_article_id":28,"status":29,"google_indexed_at":30,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":31,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":21},"f51b060c-3b90-4d1a-b6b9-3d4caef1138e","為什麼 vibe coding 在安全優先前都不算完成","\u003Cp data-speakable=\"summary\">\u003Ca href=\"\u002Ftag\u002Fvibe-coding\">Vibe coding\u003C\u002Fa> 只要把安全放在最後，就會把快速產生程式碼變成快速擴大風險。\u003C\u002Fp>\u003Cp>我認為 vibe coding 在安全被當成第一需求之前就是壞掉的，因為 Lovable 的一連串事件證明了：沒有控制機制的速度，最後不是效率，而是大規模暴露。\u003C\u002Fp>\u003Cp>Lovable 不是單一失誤。它已經被記錄到三起安全事件，涉及原始碼、資料庫憑證、聊天紀錄與使用者資料外洩，其中最新一個\u003Ca href=\"\u002Fnews\u002Fmcp-flaw-expose-150-million-downloads-zh\">漏洞\u003C\u002Fa>在研究員通報後仍持續開放了 48 天。這不是「邊緣案例」的樣子，而是一種從提示詞到上線都缺少安全預設的產品結構。\u003C\u002Fp>\u003Ch2>第一個論點\u003C\u002Fh2>\u003Cp>這不是偶發 bug，而是結構性失敗。四月有研究員指出，Lovable 的 \u003Ca href=\"\u002Ftag\u002Fapi\">API\u003C\u002Fa> 存在 broken object-level authorization，免費帳號只要五次 API 呼叫就能碰到別人的個人資料、公開專案、原始碼與資料庫憑證。公司雖然修補了新專案，但舊專案仍然暴露，代表問題不只在某個程式碼片段，而在部署模型本身：漏洞被發現後，仍能長時間留在真實客戶環境裡。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778011846801-32g7.png\" alt=\"為什麼 vibe coding 在安全優先前都不算完成\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>二月那起事件更能說明問題不是單點失誤。某個託管在 Lovable 上、在 Discover 頁面有超過 10 萬次瀏覽的應用，竟然藏了 16 個漏洞，其中 6 個是 critical，並外洩 18,697 筆使用者資料。更離譜的是，它的驗證邏輯是反的：匿名使用者能進，登入使用者反而被擋。這不是正常的產品瑕疵，而是生成式開發在「先上線、後理解」時最典型的結果。\u003C\u002Fp>\u003Ch2>第二個論點\u003C\u002Fh2>\u003Cp>Lovable 的危機也揭露了這類產品的商業誘因。公司先否認外洩，再把問題推給文件，再推給 bug bounty 合作夥伴，最後才做出部分道歉。這不只是公關失誤，而是平台把成長敘事放在受害者資料之前的證據。當一份安全回報可以被標成 duplicate 然後關閉，但實際暴露仍然存在，流程本身就已經偏向速度，而不是修復。\u003C\u002Fp>\u003Cp>市場獎勵這種偏差。Lovable 曾在四週內做到 400 萬美元 ARR，兩個月到 1000 萬美元，之後又以 66 億美元估值融資。這種成長會形成殘酷的產品激勵：更快上線、更多註冊、更快變現。安全工作慢、貴、又不顯眼，所以商業成功本身反而成了風險放大器，因為投資人稱讚的東西，正是最難讓團隊踩煞車的東西。\u003C\u002Fp>\u003Ch2>反方可能怎麼說\u003C\u002Fh2>\u003Cp>最強的反對意見是：vibe coding 還很年輕，所有新平台都會經歷硬化期。支持者也會說，Lovable 不是唯一出問題的地方。整個產業的 AI 生成程式碼都被發現有相當高比例的漏洞，傳統軟體團隊也常常犯 access control、secret 外洩、資料庫設定錯誤這些老問題。照這個看法，Lovable 只是更顯眼的案例，不足以證明 vibe coding 本身沒有未來。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778011857419-1emq.png\" alt=\"為什麼 vibe coding 在安全優先前都不算完成\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>這個說法有一部分是對的：這個類別不會消失，也不必因為早期事故就被判死刑。問題在於，平台是否能讓非專業使用者建立 production system，卻不把安全強制寫進流程。Lovable 的案例顯示它現在做不到。若平台能外洩憑證、讓舊專案持續暴露、還能把安全回報草率關掉，那責任就不能只丟給根本沒被提供足夠工具的使用者。\u003C\u002Fp>\u003Ch2>你能做什麼\u003C\u002Fh2>\u003Cp>如果你是工程師，不要把 vibe-coded 輸出當成之後再修的草稿，先把 auth\u003Ca href=\"\u002Fnews\u002Fwhy-hermes-agent-belongs-on-cloud-server-zh\">ent\u003C\u002Fa>ication、row-level sec\u003Ca href=\"\u002Fnews\u002Fwhy-cursor-composer-2-matters-more-than-hype-zh\">ur\u003C\u002Fa>ity、secret scanning、dependency check 放進第一道審查，不要放到最後。如果你是 PM 或創辦人，不要用「多久能上線」當主要指標，改看產品在上線前消掉了多少不安全預設。如果你在採購或批准這類工具，要求獨立安全測試、事故揭露規則，以及任何暴露憑證或關閉存取控制的應用都不得上線。這個類別一定會繼續長大，真正的問題是，你的團隊要不要等別人的外洩事件來替你上課。\u003C\u002Fp>","Vibe coding 不是先求快再補洞的產品類別；只要安全不是預設，像 Lovable 這類平台就會把低門檻開發變成高風險上線。","thenextweb.com","https:\u002F\u002Fthenextweb.com\u002Fnews\u002Flovable-vibe-coding-security-crisis-exposed",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778011846801-32g7.png",[13,14,15,16,17,18],"vibe coding","Lovable","應用安全","安全優先","AI 生成程式碼","產品風險","zh",0,false,"2026-05-05T20:10:23.979566+00:00","2026-05-05T20:10:23.75+00:00","done","78648a53-cb12-492e-ada0-909a5df5e340","why-vibe-coding-is-broken-until-security-comes-first-zh","industry","93b08b81-e13b-43fc-89b8-64a5ca8567e1","published","2026-05-06T09:00:21.827+00:00",[32,33,34],"Vibe coding 若沒有安全預設，就會把低門檻開發變成高風險上線。","Lovable 的多起事件顯示問題是結構性的，不是單一漏洞。","工程、產品與採購都應把安全檢查前移到第一道流程。",[36,38,40,41,43],{"name":17,"slug":37},"ai-生成程式碼",{"name":14,"slug":39},"lovable",{"name":16,"slug":16},{"name":13,"slug":42},"vibe-coding",{"name":15,"slug":15},{"id":28,"slug":45,"title":46,"language":47},"why-vibe-coding-is-broken-until-security-comes-first-en","Why vibe coding is broken until security comes first","en",[49,55,61,67,73,79],{"id":50,"slug":51,"title":52,"cover_image":53,"image_url":53,"created_at":54,"category":27},"96d96399-f674-4269-997a-cddfc34291a0","iren-signs-nvidia-ai-infrastructure-pact-zh","IREN 綁上 Nvidia AI 基建","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871057561-bukp.png","2026-05-15T18:50:37.57206+00:00",{"id":56,"slug":57,"title":58,"cover_image":59,"image_url":59,"created_at":60,"category":27},"de12a36e-52f9-4bca-8deb-a41cf974ffd9","circle-agent-stack-ai-payments-zh","Circle 推出 Agent Stack 做 AI 付款","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778870462187-t9xv.png","2026-05-15T18:40:30.945394+00:00",{"id":62,"slug":63,"title":64,"cover_image":65,"image_url":65,"created_at":66,"category":27},"e6379f8a-3305-4862-bd15-1192d3247841","why-nebius-ai-pivot-is-more-real-than-hype-zh","為什麼 Nebius 的 AI 轉型比炒作更真實","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778823044520-9mfz.png","2026-05-15T05:30:24.978992+00:00",{"id":68,"slug":69,"title":70,"cover_image":71,"image_url":71,"created_at":72,"category":27},"66c4e357-d84d-43ef-a2e7-120c4609e98e","nvidia-backs-corning-factories-with-billions-zh","Nvidia 出資 Corning 工廠擴產","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778822450270-trdb.png","2026-05-15T05:20:27.701475+00:00",{"id":74,"slug":75,"title":76,"cover_image":77,"image_url":77,"created_at":78,"category":27},"31d8109c-8b0b-46e2-86bc-d274a03269d1","why-anthropic-gates-foundation-ai-public-goods-zh","為什麼 Anthropic 和 Gates Foundation 應該投資 A…","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778796636474-u508.png","2026-05-14T22:10:21.138177+00:00",{"id":80,"slug":81,"title":82,"cover_image":83,"image_url":83,"created_at":84,"category":27},"17cafb6e-9f2c-43c4-9ba3-ef211d2780b1","why-observability-is-critical-cloud-native-systems-zh","為什麼可觀測性是雲原生系統的生存條件","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778794245143-tfqn.png","2026-05-14T21:30:25.97324+00:00",[86,91,96,101,106,111,116,121,126,131],{"id":87,"slug":88,"title":89,"created_at":90},"ee073da7-28b3-4752-a319-5a501459fb87","ai-in-2026-what-actually-matters-now-zh","2026 AI 真正重要的事","2026-03-26T07:09:12.008134+00:00",{"id":92,"slug":93,"title":94,"created_at":95},"83bd1795-8548-44c9-9a7e-de50a0923f71","trump-ai-framework-power-speech-state-preemption-zh","川普 AI 框架瞄準電力、言論與州權","2026-03-26T07:12:18.695466+00:00",{"id":97,"slug":98,"title":99,"created_at":100},"ea6be18b-c903-4e54-97b7-5f7447a612e0","nvidia-gtc-2026-big-ai-announcements-zh","NVIDIA GTC 2026 重點拆解","2026-03-26T07:14:26.62638+00:00",{"id":102,"slug":103,"title":104,"created_at":105},"4bcec76f-4c36-4daa-909f-54cd702f7c93","claude-users-spreading-out-and-getting-better-zh","Claude 用戶更分散，也更會用","2026-03-26T07:22:52.325888+00:00",{"id":107,"slug":108,"title":109,"created_at":110},"bd903b15-2473-4178-9789-b7557816e535","openclaw-raises-hard-question-for-ai-models-zh","OpenClaw 逼問 AI 模型價值","2026-03-26T07:24:54.707486+00:00",{"id":112,"slug":113,"title":114,"created_at":115},"eeac6b9e-ad9d-4831-8eec-8bba3f9bca6a","gap-google-gemini-checkout-fashion-search-zh","Gap 把結帳搬進 Gemini","2026-03-26T07:28:23.937768+00:00",{"id":117,"slug":118,"title":119,"created_at":120},"0740e53f-605d-4d57-8601-c10beb126f3c","google-pushes-gemini-transition-to-march-2026-zh","Google 把 Gemini 轉換延到 2026 年 3…","2026-03-26T07:30:12.825269+00:00",{"id":122,"slug":123,"title":124,"created_at":125},"e660d801-2421-4529-8fa9-86b82b066990","metas-llama-4-benchmark-scandal-gets-worse-zh","Meta Llama 4 分數風波又擴大","2026-03-26T07:34:21.156421+00:00",{"id":127,"slug":128,"title":129,"created_at":130},"183f9e7c-e143-40bb-a6d5-67ba84a3a8bc","accenture-mistral-ai-sovereign-enterprise-deal-zh","Accenture 攜手 Mistral AI 賣主權 AI","2026-03-26T07:38:14.818906+00:00",{"id":132,"slug":133,"title":134,"created_at":135},"191d9b1b-768a-478c-978c-dd7431a38149","mistral-ai-faces-its-hardest-year-yet-zh","Mistral AI 迎來最硬的一年","2026-03-26T07:40:23.716374+00:00"]