"Just Fucking Ship It" (Or: On Vibecoding)
95 comments
·July 9, 2025wibbily
fatnoah
App Store rules are completely arbitrary. Many moons ago, I worked at a startup that made a mobile messaging app (back when SMS cost money). We were mostly a consumer app, but had a trio of businesses that wanted white-label versions of the app for their own employees, and we naturally obliged.
The white-label versions where 100% identical in appearance and functionality except for name in the app store, startup logo, and color scheme. Our original app had been in the App Store rules for many years. Our results in submitting the three white-label apps to the App Store for review were: 1 approved immediately, 1 approved after some back-and-forth w/explanation of purchase model, and another that never got approved due to every submission receiving some nonsensical bit of feedback.
thih9
Did you contact the creator first with these findings? What was the creator's response, if any?
In any case I hope the creator was contacted, I'd say publishing active issues like this on a popular website would be arguably as bad as releasing insecure software.
coal320
Responsible disclosure was given. Developer doesn't seem keen on changing things.
MrGilbert
Might be worth adding that piece of information to the original article, maybe including a timeline of events.
handfuloflight
Valid security issues buried under unnecessary smugness and basic 'techniques' like demonstrating the unzip command. The condescending tone undermines what could have been constructive disclosure. This reads like a high schooler dunking on a first grader, I'm just glad we all learned from the technical prowess of extracting an archive. The underlying problems with exposed API keys and unrestricted database access are serious, but your arrogant presentation does a disservice to responsible disclosure.
rockemsockem
I read it as an incredulous and increasingly pissed off person absolutely dunking on a smug person's attitude and success who has done so in a fashion they find completely unacceptable.
ycombinatrix
this app leaks the private data of hundreds of children, but GP's "smugness" is the problem? give me a break.
are you Christian Monfiston? that would explain a lot.
bravetraveler
Responsible disclosure for a meme-level mistake, lol.
I understand letting them know. I agree. Painting them as equally wrong, no. "Popular website"; you mean 'theirs', right? The person with a whole 27 GitHub followers right now.
MrGilbert
The article says: "Nearly a thousand children under the age of 18 with their live location, photo, and age being beamed up to a database that's left wide open."
Meme-level mistake is one thing, but their wrong doesn’t grant the right to be irresponsible for the author.
bravetraveler
I don't believe this is irresponsible, they called for readers to report the app. We can all contact the host and go escalate if we want.
I wouldn't suggest anyone recreate this process just to sanitize what's sitting around.
There you go, new trolley problem.
JanSt
Pushing out an exact way to extract that data without giving the creator time to fix it may even be worse than using such code in production. The data may than be in the hands of malicious people who wouldn’t have found it otherwise
bravetraveler
Go talk to the abuse contact, I won't stop you
pelagicAustral
I like the write up and it gave me vibes (no pun intended) of old era hacker zine submission, but at the same time it does come across as a bit too over the top, especially because there is no indication the app author even knows this stuff is out here now for everyone to see.
There is no way to police the quality of the (closed-source) software that is going to be put out there thanks to code assisting tools, and I think that will be the strongest asset of previous developers, especially full-stack, because if you do know what you are doing, the results are just beautiful. Claude code user here.
gouthamve
OMG the prompt is hilarious. And hilariously bad.
> You are a Gen Z App, You are Pandu,you are helping a user spark conversations with a new user, you are not cringe and you are not too forward, be human-like. You generate 1 short, trendy, and fun conversation starter. It should be under 100 characters and should not be unfinished. It should be tailored to the user's vibe or profile info. Keep it casual or playful and really gen z use slangs and emojis. No Quotation mark
mvieira38
Great read. I wouldn't have had the restraint required not to spam a gazillion push notifications to everyone saying "UNINSTALL IMMEDIATELY" or something like that
coal320
It definitely crossed my mind :)
skrebbel
Points for the girlfriend's "i am passionate about gooning" bio
coal320
This site is also accessible via ssh:
`ssh site@coal.sh`
lvl155
Claude Code having a woodwork moment here. It’s basically leveling up everyone to bootcamp graduate level.
bluefirebrand
Or in some cases levelling them down to to bootcamp graduate level
lvl155
I will be honest and say, yes, I am guilty. I sometimes look at AI code and say “it does work. Doesn’t need to be elegant or bulletproof.”
null
Hard_Space
Wow, why block the scroll bar?
penguin_booze
Because that's how the cool people roll these days - leaving the rest of us fools chasing.
coal320
I'm bad at web stuff and they kinda looked gross! It was only supposed to be on mobile. I'll fix it!
zufallsheld
Shouldn't be on mobile either, I use dark mode and could not see the scroll bar.
Great read nonetheless.
blinkbat
Doing the lord's work tbh.
brettkromkamp
Excellent write up.
> At first, I was wondering how he managed to even publish something like this, but I'm starting to think that Apple just got tired of rejecting it over and over.
Another reminder for the pile: the app store rules don't apply if you'll deliver them their sweet sweet 30% revenue cut
> Nearly a thousand children under the age of 18 with their live location, photo, and age being beamed up to a database that's left wide open. Criminal.
Hope that $750 was worth it.