- The researchers find that the basic “ambient” coding platform 44 contained a safety flaw
- This allowed threat actors to access data that should be deprived
- The bug was crushed within 24 hours without any signs of abuse
The Base44 Ambient Coding Platform contained a major security vulnerability that could have allowed unauthorized users to access private applications of other people, experts warned.
The problem was discovered in early July 2025 by Wiz Research security professionals, who explained how the API termination points exposed on the basic platform44 allowed threat actors to create an account verified on private applications using nothing more than App_id, a publicly visible piece of code.
Normally, authentication systems require solid identification information and identity verification means, but the basic configuration44 apparently allows anyone around these checks by only using this code. One might think of this as to introduce yourself to a locked office building, shout “I am here for App_id 12345”, and the doors would open – no question asked.
Mood
The attackers could easily enter an APP_ID from public files and use it to “register” via non -guaranteed API routes, access applications that manage employee sensitive data and company communications.
Vulnerability could have affected corporate applications managing HR and personally identifiable information (PII), internal chatbots and knowledge bases, as well as the automation tools used in daily operations.
Once Wiz discovered the defect, he contacted Wix, the company that owns a base44, which corrected it in one day.
Wix added that he found no signs of abuse by threat actors. Researchers also identified vulnerable applications and contacted some of the companies affected directly.
The coding of atmospheres is a relatively new slang term for coding using a generative AI and natural language rather than writing real code. A developer will discuss his ideas and needs with AI, which would come back with the code. He has gained a lot of popularity lately, but news like this has highlighted that the method is not without risk.
Since the substantive infrastructure is shared, there is always a risk of information leakage somewhere.
Via Infosecurity magazine
