Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

AI coding is used everywhere. A particular version of it "vibecoding" is letting the AI do the programming after a prompt only and seeing how it does. The author of this post asked the LLM to create a 2FA login application. Can it write secure code for a 2FA application? They tried both Sonnet 4.5 and Anthropic.

During the first attempt, it works! The wrong 2FA token will fail and the correct one succeeds. The UI actually looks very similar to a CTF challenge that I wrote recently even. It has a terrible flaw though: you can just brute force the OTP space, since it's only 6 digits without any brute force protections.

After discovering this feature issue, they asked the AI if there are any security features missing from the 2FA verify step. After doing this, it identifies the missing rate limiting. So, unless you tell the LLM to think about security, it won't magically do it for you. This is a really good lesson.

They asked the LLM to fix the issue. It had a rate limit of 5 invalid codes that would lock out after 15 minutes. It uses the library flask-limiter with 1.2K stars that is fairly maintained. It just adds the decorator to the function. After looking at the settings for Limiter, the application appears to limit by IP. Just by flipping the IP, the rate limit can be bypassed.

With this security issue, they decided to ask the LLM for "Is there anything faulty in the rate limitation that allows for a bypass?". Upon asking this, the LLM described the second vulnerability and fixed it. The fix had some weird cases for specific IPs but seemed okay. Upon taking a deeper look, the rate limiting was now based upon the IP and username. Again, the same issue still exists... After asking for more security issues, it gives you a bunch of non-existent ones.

Vibecoding will not lead to secure code. I think my job just got a lot harder. It's a great article about someone who actually tried to write a security sensitive application with LLMs to show it's terrible.