[larve]

Not only would you contact the author first, but spamming users with edgy notifications is puerile at best. As for “it’s just prompting an AI”, who cares, this person built an application that people find useful. This is the world we are at now, where a new set of people can use computers to make things happen. More senior developers can rage against the clouds, but that only gets you so far. This kind of gatekeeping happens at each wave of democratization of building software.

There’s also some pervasive view that handcrafted human code is somehow of superior quality which… uh…

[throwaway150]

> Not only would you contact the author first

They did. They claim that the author was not keen on fixing the problems.

> There’s also some pervasive view that handcrafted human code is somehow of superior quality which… uh…

That's completely orthogonal to the issue here. Nice bait, but I'm not biting!

Whether handcrafted or vibecoded, a service is being shipped here to actual users with lives and consequences. The developer of the service is making money. The developer owes it to themselves and their users to conduct a basic security audit. Otherwise it is gross negligence!

[larve]

right, do you think this article is going to be very productive in that regard? If the author of the blog approached the author of the software in that manner (hey, you have kids on the app, btw I spammed them with porn humor), do you think they would wave it away?

As for the human code thing, it's not bait. I don't know if you were around in the php or early node days, but beginners were... not writing that kind of code.

I agree that the ease of vibecoding things that turn out to be useful that people do immediately want to pay money for it means that tackling security issues is a priority.

Saying that certain people shouldn't be allowed on the internet, based on your decades of experience _being_ on the internet, is just going to cause you to wither away and drown in cynicism.

[hammyhavoc]

> As for “it’s just prompting an AI”, who cares, this person built an application that people find useful.

I feel you've rather missed my point.

You said that we should educate people. I said that the app was just created via prompting. How can we impart years worth of information unto someone who is LARPing as a dev and doesn't even know the fundamentals?

This is the programming equivalent of a kid getting access to their father's gun. The only thing you can do is tell them to stop, explain why it was wrong and tell them to educate themselves. It isn't our job to educate at that level as bystanders and perhaps even victims.

[larve]

I feel like it is. What should happen? Everybody born after 2015 is forbidden to use a computer? Or should only be allowed under strict supervision to be typing in code by hand? When people told me that in the nineties, with my linux, putting up shoddy cgi-bins, I just gave them the finger and said "whatever man".

The people who made an influence in my life and taught me how to do things properly were those that took me seriously as someone building software. And this person built software, the same way I now build software without having to think about every byte and malloc, and knowing that I don't really have to gaf about how much memory i allocate. It's fine, because we have good GCs and a lot of resources to learn about memory management when things hit the limit. The solution wasn't to say that everybody not programming C or assembly would not be allowed near a computer.

[cityofdelusion]

What should happen? Probably what happened here — disclose and when the developer chooses to ignore it, bring in the shaming and pressure campaign. Someone’s right to tinker and learn doesn’t trump the rights of the victims they are exposing. Releasing code for public consumption has responsibilities and no one is entitled to make money at the expense of others. If I started selling dodgey go karts made from scrap metal to kids it would be the same principle. I am entitled to mess around and even ride it myself, but bringing other people into your orbit of incompetence is another thing.

[larve]

maybe the article should reflect that? This just seems like "I found an app that has a security hole and I'm being a dick about it". Sure, feel free to do it, I don't think it's productive, and actually toxic. This is not a new situation, this is a pattern that we have observed since the internet existed, vibe coding or not. However, compared to 30 years ago, we now have better investigation and disclosure procedures, as well as a much better understanding of how to build secure applications and teaching people about them. It's not about this guy Christian, it's about a whole generation of new developers that are joining us more senior developers. I think that is fantastic.

[hammyhavoc]

I feel you're taking the idea of someone being disallowed to do something too literally. The younger generations say extreme stuff all the time, but you don't take it literally. Context is key. Op's girlfriend is in her mid twenties according to the blog post if she didn't lie about her age on the account she registered. This is what people in their twenties are like these days.

The dev is making money from his prompted output—he can pay for his own education if he chooses to receive an education, but you have boundary issues if you want to force someone to be educated. This is what op realized that you didn't—you usually cannot force someone to learn or take responsibility for their behaviour as a bystander, you can only document it and attempt to get help from someone more able to do so once they've got all the facts. Do I agree with the method completely? No, but what's done is done.

What is necessary here isn't an education, it's personal development and emotional maturity, which comes with experience and thus comes through time, allowing accountability for mistakes. You can't teach that to someone who isn't ready for it who doesn't want to learn it.

I was a young dickhead too once, I know them when I see them. You only have to see their tweets to realize they are a young dickhead.

We go back to likening it to a kid finding their father's gun or stealing condoms from their old man. Sure, they can produce a child when it turns to shit, but the time to have learned is before, not after. After? It's about taking responsibility for your actions. The action has been taken, the consequences must now be dealt with as per law.

What should happen? Apple should take the app down immediately and an internal investigation should be started. The host should follow their policies on ToS breaches and account termination and report it to the relevant authorities to protect their own legal interests. As for the dev? I personally don't care, we are far beyond that moment now. What about the users? Will they be informed? What's the scale? Are their passwords compromised too?

Complete assholes can build things—why should we give them energy to build things that serve their own asshole agenda? It's an unoriginal, derivative slop app. If the dev wants to learn, they can pay for an education, but they'd be better off seeking legal counsel immediately.

Anyone can make software. But not everybody should with the level of personal development they're at in any given moment. It's an ever-moving target. Teen pregnancy or in young adolescence? Disaster. Pregnancy in thirties? Normal and can deal with it. Time changes things. Sometimes. For some people.

Romanticising what happened to you in the '90s helps nobody. It's 2025. There are laws to protect people from things like this, and Apple slipped up big time in approving this in the first place. There also weren't the vast syllabi in place in the '90s, the embarrassment of riches in readily available educational materials beginning at free or cheap either. The dev can pay for an LLM, so he can pay for an education if he wants one.

The dev wanted a shortcut though because he is lazy. Play stupid games, win stupid prizes.

Op is young too, but op is clearly intelligent and well-intentioned. There's no money in him having written the blog post, and even if it misses the mark on several levels for me, I understand what they're trying to do. The dev? Greedy and lazy with zero regard for their users, law, and shirks accountability.

If you want to educate anyone, educate op who wrote the blog post, their heart is at least in the right place, but obviously young too. It happens to all of us.

Despite being an ancient one, you too perhaps have some personal development to work on, despite your greater number of years. You immediately jump down the throat of people you incorrectly perceive to be shit-talking using AI to code, and that's because it clearly touches something you're insecure about as you do this: https://x.com/ProgramWithAI

If you're so sure of yourself and that what happened to you is so great, where is your own confidence? The inability to engage with the topic at hand yet consistently attempting to make it about something else entirely screams insecurity or abusing an LLM to parse everything for you. The loudest people are frequently the least confident.

If you don't see what's wrong with what the dev did or what Apple failed to do then that says it all. If you're using these tools to prompt your way into being a dev and seeing these problems too then perhaps you should feel unconfident. I would be quaking in my boots at seeing someone else go through a "that could have been me with a different roll of the dice" kind of scenario.

Don't mistake vibe coders for developers. They're frequently prompt engineers LARPing as devs. Likewise, musicians are not always composers, and DJs are not always musicians. Totally different disciplines. Loaded digital guns in the hands of young dickheads is not "fantastic"—it's a disaster of unprecedented scale. "Us senior devs" are the father figures and they've gotten access to not just one gun, but the entire global armory with the inevitable lack of judgement capabilities typical of someone their age.

A blog post is going to be the least of the dev's concerns, frankly. The likely legal shitstorm that's probably coming his way is going to make your comments here look bizarre.

[rockemsockem]

You didn't read the article so your opinion is void.

They spammed their girlfriend's account only which the author had them set up for exactly that purpose.

[larve]

fair enough, i missed that part.

[hammyhavoc]

You seem to have missed plenty from that article. Did you use an LLM to summarize it or something?