The most common bug in AI-built apps lets one user read another user's data. Almost nobody checks for it.
You build an app with AI over a weekend. It works. people sign up. Then one afternoon a user emails and asks why they can see someone else's invoice when they change the number in the link.
That is not a rare story. earlier this year a popular AI app builder had a bug where any free account could pull other people's source code, database keys, and private chats. On one AI app marketplace, roughly one in ten apps were quietly leaking user data the same way. Same root cause every time.
The bug has a boring name (people call it BOLA or IDOR) and a simple meaning. One logged-in user can reach another user's stuff. Your app checks that you are logged in. It forgets to check that the thing you are asking for is actually yours. The AI writes the part that makes the feature work and quietly skips the part that asks "wait, is this yours?" So the app looks perfect in the demo and leaks in production.
Here is the annoying part. A code scanner cannot really see this. It is not a bad word sitting in your code, it is a missing check in a live request. A one time audit checks the day it runs, then you ship ten more changes the next week.
The good news is you can test for it yourself in about two minutes:
- Make two accounts in your own app. Call them A and B.
- Log in as A and open something private. A note, an order, a profile. Look at the id in the address bar or the network request, something like /api/orders/1042.
- Now log in as B and ask for A's exact thing. Same /api/orders/1042.
- If B gets A's data back, you have the bug. If B gets blocked, that endpoint is fine. Repeat on your other main screens.
The fix is one idea. On the server, every time you read or change a record, check that the record belongs to the logged in user. Not just that they are logged in, that this specific row is theirs. Never trust the id coming from the browser.
I run into this constantly in AI-built apps, and almost nobody checks until a user finds it first. Curious how many of you have actually run this test on your own app and what you found. And if you have a cleaner way to check across a whole app, I want to hear it.