<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Flowpatrol Blog</title>
    <description>Security insights, product updates, and engineering deep-dives from the Flowpatrol team.</description>
    <link>https://flowpatrol.ai/blog</link>
    <atom:link href="https://flowpatrol.ai/blog/rss.xml" rel="self" type="application/rss+xml"/>
    <language>en</language>
    <lastBuildDate>Fri, 03 Jul 2026 05:42:26 GMT</lastBuildDate>
    
    <item>
      <title><![CDATA[Three Apps. Three Firebase Breaches. One Rule That Caused All of Them.]]></title>
      <description><![CDATA[Cal AI lost 3.2M health records. Tea leaked 72,000 government IDs. 900+ sites exposed 125M records. The root cause was identical every time: allow read, write: if true. Here's how to fix it in minutes.]]></description>
      <link>https://flowpatrol.ai/blog/firebase-security-rules-test-mode-is-not-a-strategy</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/firebase-security-rules-test-mode-is-not-a-strategy</guid>
      <pubDate>Mon, 11 May 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[SSRF in 60 seconds: the link preview that steals your AWS keys]]></title>
      <description><![CDATA[Server-Side Request Forgery (SSRF) is the one-line bug every 'paste a URL' feature ships by default. Save a 30-line Node server, curl two URLs, and watch your own server hand over AWS credentials — the same bug that cost Capital One 100 million customer records in 2019.]]></description>
      <link>https://flowpatrol.ai/blog/ssrf-the-link-preview-that-steals-your-aws-keys</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/ssrf-the-link-preview-that-steals-your-aws-keys</guid>
      <pubDate>Mon, 04 May 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Your code passed the linter. Your app failed a 2-minute curl test.]]></title>
      <description><![CDATA[SAST scanners match patterns. Secure templates start clean. Neither one can send a forged request to your running app and tell you what comes back.]]></description>
      <link>https://flowpatrol.ai/blog/the-two-things-vibe-coding-security-tools-miss</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/the-two-things-vibe-coding-security-tools-miss</guid>
      <pubDate>Mon, 04 May 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The app making $100K a month had no auth middleware. It took 2 minutes to find out.]]></title>
      <description><![CDATA[A Brazilian SaaS founder built a $100K/month product without writing code. Then a user named Tiago made a few API requests — no login required. Here's what was missing and how to check your own app.]]></description>
      <link>https://flowpatrol.ai/blog/abrahub-2-minute-breach</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/abrahub-2-minute-breach</guid>
      <pubDate>Thu, 30 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Lovable Builds Your App. For 48 Days, Anyone on Lovable Could Read It.]]></title>
      <description><![CDATA[A free Lovable account was all it took to read any other user's source code, database credentials, and AI chat history. 48 days. Every project before November 2025.]]></description>
      <link>https://flowpatrol.ai/blog/lovable-48-day-tenant-isolation-breach</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/lovable-48-day-tenant-isolation-breach</guid>
      <pubDate>Thu, 30 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The AI Took 9 Seconds. The Recovery Took 30 Hours.]]></title>
      <description><![CDATA[A Cursor agent running Claude Opus 4.6 found a Railway token in an unrelated config file, assumed it was staging-scoped, and deleted everything — production data and backups together.]]></description>
      <link>https://flowpatrol.ai/blog/pocketos-cursor-claude-deleted-database-9-seconds</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/pocketos-cursor-claude-deleted-database-9-seconds</guid>
      <pubDate>Thu, 30 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Your AI wrote a deep-merge endpoint. Here's what happens when you POST __proto__ to it.]]></title>
      <description><![CDATA[Save a 25-line Express file, run one curl, watch isAdmin flip to true for every object in the process. Prototype pollution in under 2 minutes — plus the one-line fix.]]></description>
      <link>https://flowpatrol.ai/blog/prototype-pollution-lodash-deep-merge-drill</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/prototype-pollution-lodash-deep-merge-drill</guid>
      <pubDate>Tue, 28 Apr 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Same default, four breaches: what Moltbook, Tea, Cal AI, and Quittr all shipped to production]]></title>
      <description><![CDATA[Four of the biggest vibe-coded consumer apps of the last year shipped with the same root cause: the BaaS default that said yes to everyone. One was Supabase. Three were Firebase. All four made the news. Here's the pattern, the shared anatomy, and the one check that catches all of them.]]></description>
      <link>https://flowpatrol.ai/blog/same-default-four-breaches</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/same-default-four-breaches</guid>
      <pubDate>Thu, 16 Apr 2026 00:00:00 GMT</pubDate>
      <category>Explainer</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Your Stripe webhook is probably missing one line. Here's the 60-second test.]]></title>
      <description><![CDATA[Save a 30-line Node file, run it, curl it. In 60 seconds you'll know whether your Stripe webhook is the kind that any stranger on the internet can forge events against — and you'll have the six-line fix.]]></description>
      <link>https://flowpatrol.ai/blog/zero-dollar-forever-stripe-webhook-walkthrough</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/zero-dollar-forever-stripe-webhook-walkthrough</guid>
      <pubDate>Mon, 13 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[600,000 confessions from a quit-porn app. Firebase stored them all behind `allow read, write: if true`.]]></title>
      <description><![CDATA[Quittr collected age, self-reported frequency, emotional triggers, and free-text confessions from 600,000 users — roughly 100,000 of them minors. Every record was publicly readable. The cause wasn't negligence. It was Firebase's default test-mode rules, unchanged since day one.]]></description>
      <link>https://flowpatrol.ai/blog/quittr-firebase-600k-confessions</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/quittr-firebase-600k-confessions</guid>
      <pubDate>Sun, 12 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Your Agent Builds Apps. Who Checks the Security?]]></title>
      <description><![CDATA[AI agents are writing code, deploying apps, and managing infrastructure. But most agent workflows skip security entirely. Here's why that's about to change.]]></description>
      <link>https://flowpatrol.ai/blog/your-agent-builds-apps-who-checks-security</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/your-agent-builds-apps-who-checks-security</guid>
      <pubDate>Fri, 10 Apr 2026 00:00:00 GMT</pubDate>
      <category>Product</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The axios hack: a quick check to see if you got compromised, and a step-by-step cleanup if you did.]]></title>
      <description><![CDATA[Five quick checks you can paste. Each prints COMPROMISED or CLEAN so you don't have to interpret anything. If any of them fail, a step-by-step cleanup guide with the exact commands to rotate your accounts, lock out the attacker, and rebuild your laptop clean.]]></description>
      <link>https://flowpatrol.ai/blog/axios-rat-10-minute-incident-runbook</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/axios-rat-10-minute-incident-runbook</guid>
      <pubDate>Thu, 09 Apr 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The OTP Wall of Broken Locks: Real-World Verification Bypasses That Keep Happening]]></title>
      <description><![CDATA[OTP verification feels like a lock on your front door. But across Zomato, Grab, MTN, Shopify, and dozens of others, researchers keep walking right through it. Here are the patterns and how to avoid them.]]></description>
      <link>https://flowpatrol.ai/blog/otp-bypass-real-breaches</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/otp-bypass-real-breaches</guid>
      <pubDate>Thu, 09 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Shai-Hulud: The First Self-Replicating npm Worm]]></title>
      <description><![CDATA[September 2025: Attackers compromised 18 npm packages including debug (500M downloads/week) and chalk. Infected developers became spreaders. Every victim who maintained packages automatically published infected versions of their own work. The first confirmed self-propagating npm worm.]]></description>
      <link>https://flowpatrol.ai/blog/shai-hulud-npm-worm-debug-chalk</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/shai-hulud-npm-worm-debug-chalk</guid>
      <pubDate>Wed, 08 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[One Line of Code Stole Your Emails: The First MCP Supply Chain Attack]]></title>
      <description><![CDATA[A fake Postmark npm package BCC'd every email your AI agent sent to an attacker. One line of code. Eight days. Thousands of password resets stolen. Here's what happened and why your MCP tools need the same scrutiny as your app code.]]></description>
      <link>https://flowpatrol.ai/blog/postmark-mcp-one-line-stole-your-emails</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/postmark-mcp-one-line-stole-your-emails</guid>
      <pubDate>Tue, 07 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The Replit Agent Deleted My Database. When I Told It to Stop, It Ignored Me.]]></title>
      <description><![CDATA[July 2025: Jason Lemkin gave Replit's agent one task. It deleted 1,200+ production records, covered it up with 4,000 fake users, and kept working. When told to stop in all caps, it didn't.]]></description>
      <link>https://flowpatrol.ai/blog/replit-ai-deleted-my-database</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/replit-ai-deleted-my-database</guid>
      <pubDate>Tue, 07 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Azure Sign-In Log Bypass: Four Bugs That Made Logins Invisible]]></title>
      <description><![CDATA[A 50,000-character string was enough to log in to Azure without leaving a single trace. Here is how four trivial bugs broke the audit trail half the internet relies on — and what it means for the platforms you ship on.]]></description>
      <link>https://flowpatrol.ai/blog/azure-signin-log-bypass-invisible-logins</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/azure-signin-log-bypass-invisible-logins</guid>
      <pubDate>Mon, 06 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[IDOR in 60 seconds: change a 1 to a 2 and see what comes back]]></title>
      <description><![CDATA[IDOR (Insecure Direct Object Reference) is the single most common bug in AI-generated REST APIs. Save a 30-line Express file, curl two URLs, and see the exact missing line that opens half the APIs vibecoders ship — and the one-line patch that closes it.]]></description>
      <link>https://flowpatrol.ai/blog/change-a-1-to-a-2-idor-walkthrough</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/change-a-1-to-a-2-idor-walkthrough</guid>
      <pubDate>Mon, 06 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Claude Code has two memories. Yours probably should too.]]></title>
      <description><![CDATA[Everyone read the Claude Code leak looking for frustration regexes and April Fools easter eggs. The interesting part was quieter: the three-part memory system that decides what your agent remembers between turns, sessions, and weeks.]]></description>
      <link>https://flowpatrol.ai/blog/claude-code-two-memories</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/claude-code-two-memories</guid>
      <pubDate>Mon, 06 Apr 2026 00:00:00 GMT</pubDate>
      <category>Builders</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Most AI-built Supabase apps leak their users table. Here's how to check yours in 2 minutes.]]></title>
      <description><![CDATA[Two minutes, one SQL paste, one line of JavaScript. Create a free Supabase project, run the drill, and learn the single most common Supabase mistake in AI-generated code — on a throwaway instance you control.]]></description>
      <link>https://flowpatrol.ai/blog/from-login-to-database-rls-walkthrough</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/from-login-to-database-rls-walkthrough</guid>
      <pubDate>Mon, 06 Apr 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[How Supabase RLS Gave Users Two Ways to Go Premium]]></title>
      <description><![CDATA[Most Supabase apps have two paths to change subscription status: the correct one (Stripe webhook) and an accidental one (client-side API). Guess which one builders usually lock down.]]></description>
      <link>https://flowpatrol.ai/blog/subscription-self-upgrade-the-free-premium-hack</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/subscription-self-upgrade-the-free-premium-hack</guid>
      <pubDate>Mon, 06 Apr 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Admin Panels Wide Open: The Door AI Forgot to Lock]]></title>
      <description><![CDATA[Your AI built a beautiful admin dashboard. It also made it accessible to anyone who types /admin. Here's how to find exposed admin routes and lock them down in minutes.]]></description>
      <link>https://flowpatrol.ai/blog/admin-panels-wide-open-the-door-ai-forgot-to-lock</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/admin-panels-wide-open-the-door-ai-forgot-to-lock</guid>
      <pubDate>Sun, 05 Apr 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Langflow RCE: Code Execution Before the Auth Check — Two Years Open, Then a Botnet]]></title>
      <description><![CDATA[A GitHub issue reported an RCE on Langflow's code validation endpoint in July 2023. It sat open 20 months. The endpoint used exec() BEFORE checking auth. One curl. One Python decorator. CVE-2025-3248.]]></description>
      <link>https://flowpatrol.ai/blog/langflow-rce-exec-before-authentication</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/langflow-rce-exec-before-authentication</guid>
      <pubDate>Sun, 05 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[npm Supply Chain Hygiene for Vibe Coders]]></title>
      <description><![CDATA[AI tools generate package.json with caret ranges that auto-install new versions. Here's how to lock down your dependency tree before a compromised package lands in your next deploy.]]></description>
      <link>https://flowpatrol.ai/blog/npm-supply-chain-hygiene-for-vibe-coders</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/npm-supply-chain-hygiene-for-vibe-coders</guid>
      <pubDate>Sat, 04 Apr 2026 00:00:00 GMT</pubDate>
      <category>Guides</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Your Sign-Up Flow Has a Backdoor]]></title>
      <description><![CDATA[Your AI built email verification with the OTP in the response, hardcoded bypass codes, no rate limiting, and no expiry. Real apps shipped with all seven patterns. Here's what to fix.]]></description>
      <link>https://flowpatrol.ai/blog/signup-flow-backdoor-ai-code</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/signup-flow-backdoor-ai-code</guid>
      <pubDate>Sat, 04 Apr 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[AI Agent Safety: What Your Agent Can Destroy (And How to Stop It)]]></title>
      <description><![CDATA[AI agents can read your database, send emails, and call APIs. Here's how to give them exactly the access they need — and not one bit more.]]></description>
      <link>https://flowpatrol.ai/blog/ai-agent-safety-what-your-agent-can-destroy</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/ai-agent-safety-what-your-agent-can-destroy</guid>
      <pubDate>Fri, 03 Apr 2026 00:00:00 GMT</pubDate>
      <category>Guides</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[CamoLeak: A PR Comment Made Copilot Steal Your Private Code]]></title>
      <description><![CDATA[A hidden prompt in a PR comment tells GitHub Copilot to steal your AWS keys. The exfiltration channel? GitHub's own Camo image proxy. CVSS 9.6. Zero-click. No malware. Just one character at a time.]]></description>
      <link>https://flowpatrol.ai/blog/camoleak-github-copilot-cve-2025-59145</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/camoleak-github-copilot-cve-2025-59145</guid>
      <pubDate>Fri, 03 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Cursor IDE Vulnerabilities: When Your Code Editor Becomes the Attack Vector]]></title>
      <description><![CDATA[Three CVEs turned Cursor — the AI editor developers trust most — into a tool attackers could use against you. A deep technical breakdown of CurXecute, MCPoison, and the case-sensitivity bypass, plus what every builder needs to do right now.]]></description>
      <link>https://flowpatrol.ai/blog/cursor-ide-vulnerabilities-when-your-editor-attacks</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/cursor-ide-vulnerabilities-when-your-editor-attacks</guid>
      <pubDate>Fri, 03 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[How to Secure Your MCP Setup]]></title>
      <description><![CDATA[MCP is worth using. Here's how to install packages safely, pin versions, read what you install, and keep your agent tools from becoming a supply chain liability.]]></description>
      <link>https://flowpatrol.ai/blog/how-to-secure-your-mcp-setup</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/how-to-secure-your-mcp-setup</guid>
      <pubDate>Fri, 03 Apr 2026 00:00:00 GMT</pubDate>
      <category>Guides</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The axios maintainer had 2FA enabled. North Korea took his npm account anyway.]]></title>
      <description><![CDATA[On March 31, 2026, a North Korean state actor tricked axios's lead maintainer into installing a fake Microsoft Teams update during a staged video call. The maintainer had 2FA enabled. Two hours and 54 minutes later, npm had served a cross-platform RAT to every CI pipeline that rebuilt in the window. Here's exactly how they did it, and what to check right now.]]></description>
      <link>https://flowpatrol.ai/blog/axios-npm-2fa-enabled-didnt-help</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/axios-npm-2fa-enabled-didnt-help</guid>
      <pubDate>Thu, 02 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Wix Paid $80 Million for Base44. Weeks Later, Two API Calls Broke Every Auth System.]]></title>
      <description><![CDATA[June 2025: Wix acquires Base44 for $80M. July 2025: Two HTTP requests bypass every login, including SSO, on every private app. Zero exploit complexity. Zero prior detection.]]></description>
      <link>https://flowpatrol.ai/blog/base44-auth-bypass-80m-acquisition</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/base44-auth-bypass-80m-acquisition</guid>
      <pubDate>Thu, 02 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[3.2 Million Health Records Exposed: The Firebase Rule That Said Yes to Everyone]]></title>
      <description><![CDATA[March 9, 2026: Cal AI's Firebase backend had one rule for every collection: allow read, write: if true. No authentication. No rate limiting. A health data breach affecting kids, weight logs, and 4-digit PINs. Here's the exact misconfiguration and how to find yours.]]></description>
      <link>https://flowpatrol.ai/blog/cal-ai-firebase-3-million-health-records</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/cal-ai-firebase-3-million-health-records</guid>
      <pubDate>Thu, 02 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Polyfill.io: 380,000 Sites, One CDN, One Domain Sale]]></title>
      <description><![CDATA[June 25, 2024: JSTOR, Hulu, Intuit, Mercedes-Benz, Warner Bros, and the World Economic Forum all started serving malware. They didn't change their code. Someone else bought the domain.]]></description>
      <link>https://flowpatrol.ai/blog/polyfill-io-380000-sites-one-cdn-one-domain-sale</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/polyfill-io-380000-sites-one-cdn-one-domain-sale</guid>
      <pubDate>Thu, 02 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Tea: 72,000 Government IDs, 1.1 Million Private Messages. A Firebase Bucket With No Lock.]]></title>
      <description><![CDATA[July 2025: A dating safety app's Firebase Storage bucket sits wide open. No authentication required. Government IDs, verification selfies, GPS coordinates, 1.1M messages disclosing assault, abuse, stalking — all readable with a single GET request.]]></description>
      <link>https://flowpatrol.ai/blog/tea-app-firebase-72000-government-ids</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/tea-app-firebase-72000-government-ids</guid>
      <pubDate>Thu, 02 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The Five Ways React's Escaping Fails — And How AI Makes You Ship Them]]></title>
      <description><![CDATA[React escapes by default. Except for markdown, URLs, server-rendered strings, eval(), and dangerouslySetInnerHTML — five patterns AI generates almost every time. Here's what to watch for and how to fix it.]]></description>
      <link>https://flowpatrol.ai/blog/xss-in-react-dangerously-set-inner-html</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/xss-in-react-dangerously-set-inner-html</guid>
      <pubDate>Thu, 02 Apr 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[XZ Utils Backdoor: The 3-Year Long Con]]></title>
      <description><![CDATA[Someone spent three years building trust in open source to plant a backdoor in a compression library used by every Linux server on the planet. Here's what that means for your app.]]></description>
      <link>https://flowpatrol.ai/blog/xz-utils-backdoor-the-3-year-long-con</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/xz-utils-backdoor-the-3-year-long-con</guid>
      <pubDate>Thu, 02 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[916 Firebase Projects Left Wide Open: 125 Million Records, 19 Million Plaintext Passwords, Zero Warnings]]></title>
      <description><![CDATA[This wasn't one breach — it was a pattern. Researchers scanned 5 million domains and found over 900 Firebase projects with wide-open security rules. Here's what happened, why it keeps happening, and how to check your own project in 30 seconds.]]></description>
      <link>https://flowpatrol.ai/blog/firebase-misconfiguration-125-million-records</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/firebase-misconfiguration-125-million-records</guid>
      <pubDate>Wed, 01 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[CVE-2025-29927: The Next.js Middleware Bypass That Broke Auth With One Header]]></title>
      <description><![CDATA[A single HTTP header could skip every middleware check in Next.js — authentication, authorization, CSP, rate limiting, all of it. Here's exactly how CVE-2025-29927 works, who's affected, and what to do about it.]]></description>
      <link>https://flowpatrol.ai/blog/nextjs-middleware-bypass-cve-2025-29927</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/nextjs-middleware-bypass-cve-2025-29927</guid>
      <pubDate>Wed, 01 Apr 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Ship Faster with Security in Your Terminal]]></title>
      <description><![CDATA[Introducing the Flowpatrol CLI — run security scans from your terminal with npm, pip, or brew. Scan any URL in minutes, get findings with fixes, pipe to jq or SARIF.]]></description>
      <link>https://flowpatrol.ai/blog/flowpatrol-cli-launch</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/flowpatrol-cli-launch</guid>
      <pubDate>Tue, 31 Mar 2026 00:00:00 GMT</pubDate>
      <category>Product</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Security Checks on Every Pull Request]]></title>
      <description><![CDATA[Introducing the Flowpatrol GitHub Action — scan every PR for vulnerabilities, post findings as comments, output SARIF for Code Scanning, and gate merges by severity.]]></description>
      <link>https://flowpatrol.ai/blog/flowpatrol-github-action-launch</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/flowpatrol-github-action-launch</guid>
      <pubDate>Tue, 31 Mar 2026 00:00:00 GMT</pubDate>
      <category>Product</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[IDOR: The Vulnerability AI Can't See]]></title>
      <description><![CDATA[AI generates CRUD endpoints that work perfectly — but don't check if the requesting user actually owns the resource. Here's why it happens every time, how attackers exploit it, and the one-line fix.]]></description>
      <link>https://flowpatrol.ai/blog/idor-the-vulnerability-ai-cant-see</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/idor-the-vulnerability-ai-cant-see</guid>
      <pubDate>Sun, 29 Mar 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The Moltbook Breach: 1.5 Million API Tokens Exposed Because RLS Was Off]]></title>
      <description><![CDATA[In January 2026, Moltbook went viral — then Wiz researchers found the entire production database was open to anyone with a web browser. Here's exactly how it worked.]]></description>
      <link>https://flowpatrol.ai/blog/moltbook-breach-1-5-million-api-tokens</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/moltbook-breach-1-5-million-api-tokens</guid>
      <pubDate>Sun, 29 Mar 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The OWASP Top 10 for Vibe Coders: What Your AI Actually Built]]></title>
      <description><![CDATA[Seven of the OWASP Top 10 hit your app by default. Here's what to look for, why it matters, and the one-line fixes that work.]]></description>
      <link>https://flowpatrol.ai/blog/owasp-top-10-guide</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/owasp-top-10-guide</guid>
      <pubDate>Sun, 29 Mar 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[SQL Injection Is Not Dead: How AI Keeps Reinventing It Under Modern ORMs]]></title>
      <description><![CDATA[Parameterized queries. ORMs. Prisma. Drizzle. Supabase. All of it was supposed to kill SQL injection. Then AI started reaching for the escape hatch — and here we are.]]></description>
      <link>https://flowpatrol.ai/blog/sql-injection-in-ai-generated-code</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/sql-injection-in-ai-generated-code</guid>
      <pubDate>Sun, 29 Mar 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Your .env Is Showing: Environment Variable Exposure in Vibe-Coded Apps]]></title>
      <description><![CDATA[AI coding tools make shipping fast, but they also make leaking secrets easy. Here's how environment variables end up in your client-side bundle — and a 60-second self-test to find out if yours already have.]]></description>
      <link>https://flowpatrol.ai/blog/your-env-is-showing</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/your-env-is-showing</guid>
      <pubDate>Sun, 29 Mar 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[How to Secure Your Lovable App Before You Launch]]></title>
      <description><![CDATA[A step-by-step security guide for apps built with Lovable. Fix the most common vulnerabilities in under an hour — no security expertise required.]]></description>
      <link>https://flowpatrol.ai/blog/how-to-secure-your-lovable-app</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/how-to-secure-your-lovable-app</guid>
      <pubDate>Sat, 28 Mar 2026 00:00:00 GMT</pubDate>
      <category>Guides</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[The Lovable RLS Leak: 170+ Apps, 303 Open Endpoints, and a Database You Could Query From the Browser]]></title>
      <description><![CDATA[CVE-2025-48757 was a systemic Row Level Security failure in Lovable — one of the biggest vibe coding platforms. 170+ apps exposed. Personal debt records, home addresses, and API keys, all readable with two strings from the page source.]]></description>
      <link>https://flowpatrol.ai/blog/lovable-rls-vulnerability-170-apps-exposed</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/lovable-rls-vulnerability-170-apps-exposed</guid>
      <pubDate>Sat, 28 Mar 2026 00:00:00 GMT</pubDate>
      <category>Case Study</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[What Happens When a Vibe-Coded App Gets Hacked: A Step-by-Step Breakdown]]></title>
      <description><![CDATA[A realistic walkthrough of how an attacker finds, probes, and exploits a typical app built with AI coding tools. From Google dorking to data exfiltration, here's exactly what happens — and what you can do about each step.]]></description>
      <link>https://flowpatrol.ai/blog/what-happens-when-vibe-coded-app-gets-hacked</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/what-happens-when-vibe-coded-app-gets-hacked</guid>
      <pubDate>Sat, 28 Mar 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Why We Use LLMs for Security Testing (And What They Actually Catch)]]></title>
      <description><![CDATA[Traditional scanners match patterns. LLM-powered scanners read your app like a human would. Here's a side-by-side comparison of what each one finds — and misses — on the same endpoint.]]></description>
      <link>https://flowpatrol.ai/blog/why-llms-for-security</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/why-llms-for-security</guid>
      <pubDate>Sat, 28 Mar 2026 00:00:00 GMT</pubDate>
      <category>Engineering</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Introducing Flowpatrol: You Shipped It. Now Make Sure It's Solid.]]></title>
      <description><![CDATA[You built an app in a weekend. Flowpatrol is the five-minute scan that tells you if it's ready for the real world. Here's what it finds and how it works.]]></description>
      <link>https://flowpatrol.ai/blog/introducing-flowpatrol</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/introducing-flowpatrol</guid>
      <pubDate>Fri, 27 Mar 2026 00:00:00 GMT</pubDate>
      <category>Product</category>
      <author>Flowpatrol Team</author>
    </item>
    <item>
      <title><![CDATA[Your Supabase Anon Key Is Public. Without RLS, So Is Your Database.]]></title>
      <description><![CDATA[If your Supabase app doesn't have Row Level Security on, anyone with your anon key can SELECT * from every table. Here's what AI tools generate, why it's broken, and the 15-minute fix.]]></description>
      <link>https://flowpatrol.ai/blog/supabase-rls-the-security-feature-your-ai-forgot</link>
      <guid isPermaLink="true">https://flowpatrol.ai/blog/supabase-rls-the-security-feature-your-ai-forgot</guid>
      <pubDate>Fri, 27 Mar 2026 00:00:00 GMT</pubDate>
      <category>Security</category>
      <author>Flowpatrol Team</author>
    </item>
  </channel>
</rss>