人工智能氛围编码恐怖故事

人工智能氛围编码恐怖故事
An AI Vibe Coding Horror Story

原始链接: https://www.tobru.ch/an-ai-vibe-coding-horror-story/

这讲述了一家诊所使用自建、人工智能生成的患者管理系统时的一次惊险经历。由于人工智能编码工具的便捷性，医生创建了一个定制应用程序，导入了敏感的患者数据，并集成了人工智能驱动的转录服务——所有这些都没有充分的安全措施。该系统存在令人震惊的漏洞：数据未加密，可公开访问，并存储在美国服务器上，缺乏必要的数据处理协议。一位患者发现，他们只需付出极小的努力就能完全访问所有记录。回应令人担忧地自动化，医生依赖于人工智能生成的修复保证。整个应用程序的代码非常简单，缺乏基本的安全协议。这起事件凸显了在不了解其影响的情况下部署人工智能构建的软件的风险，可能违反数据隐私法律和职业道德。它提醒人们在使用人工智能处理医疗保健等敏感领域时，需要专业知识和谨慎的监督。

黑客新闻新的 | 过去的 | 评论 | 提问 | 展示 | 工作 | 提交登录人工智能氛围编码恐怖故事 (tobru.ch) 19 分，teichmann 发表于 25 分钟前 | 隐藏 | 过去的 | 收藏 | 1 条评论帮助 direwolf20 1 分钟前 [–] 所以你下载了所有数据，并在暗网上卖了五位数？回复指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系搜索：

原文

And so it happened, my first real-world AI vibe coding horror story, one that affected me personally. --> Deutsche version

I went to a medical appointment and was greeted by a friendly person. Shortly after the warm welcome, they mentioned watching a video explaining how easy it is for anyone to build software with AI these days. That sparked an idea: why use an industry-proven solution when you could just build your own patient management system?

So they did exactly that. They fired up a coding agent, built a custom patient management application, imported all their existing patient data into it, and published it to the internet. They even added a feature to record conversations during appointments and send the audio to not one, but two AI services for automatic summaries. No more manual note-taking.

Everything that could go wrong, did go wrong.

A few days later, I started poking around the application. Thirty minutes in, I had full read and write access to all patient data. Everything was unencrypted and completely exposed to the open internet. My first move was to notify the person immediately. The response I got was 100% AI-generated, thanking me warmly for reporting it and assuring me they had taken immediate action by adding basic authentication and rotating some access keys.

This person had no idea what they had built, or what the consequences could be. The data wasn't just wide open: it was stored on a US server without a Data Processing Agreement, voice recordings were being sent to major US-based AI companies, and I had never been informed any of this was happening. That is not how medical patient data can be handled.
They almost certainly violated multiple provisions of the nDSG law and potentially professional secrecy laws (Berufsgeheimnis) as well, though I'm not a lawyer.

Technical Background

The entire application was a single HTML file with all JavaScript, CSS, and structure written inline. The backend was a managed database service with zero access control configured, no row-level security, nothing. All "access control" logic lived in the JavaScript on the client side, meaning the data was literally one curl command away from anyone who looked.

All audio recordings were sent directly to external AI APIs for transcription and summarization.

There was more, but this is already enough to get the idea.

Outlook

That's not the AI future I'm looking forward to. Personally, I'm using AI coding agents as well, but I'm able to understand what's happening, can read the code and have an idea of software architecture. Anyone just vibing away clearly won't give us a happy future.