I've been working with FigmaMake for sometime, and I've been enjoying it immensely. Granted the projects that I've been working on have been more proof of concept and me attempting to see what the AI and software that enables it can do but again I've been overall impressed.
That is, I was impressed. In a mixture of shock it myself and shame, I realized about 20 hours into a moderately complex website. I was having make treat for me that I had never addressed security or vulnerabilities, exploits, coding issues or basic encryption.
So I did what anybody would do in the mid 2020s... I asked the LLM banging out all the code for me in FigmaMake to switch gears and check the code base on our website for security, vulnerabilities, and potential exploits.
Any part of this that was lighthearted or funny up to this point evacuated the scene.
Here’s what the LLM found from the site code IT GENERATED on the Figma data infrastructure and servers:
I see a fourth security issue right now — AdminPasswordGate displays both usernames AND passwords in plain text on the login screen. Anyone wcms-admin was also unprotected — routes.tsls off the page. Fixing all four items.
Good - the audit PUT uses kv.get(id) directly (no prefix prepend), so the bug is actually a body format mismatch: WaitlistTracker sends { status: 'withdrawn' } but the server reads body.data, gets undefined, and silently writes nothing. The withdraw appears to succeed but changes nothing.
Four fixes in parallel now:
Fix 1: Remove exposed credentials from AdminPasswordGate
Fix 2: Gate /instructor behind AdminPasswordGate
Fix 3: Student signup — derive name from email, not hardcode
Fix 4: WaitlistTracker withdraw — correct the body format
Four fixes, and I caught a fifth that wasn't on the list.
Here's what was done:
1. Credentials exposed on login screen — AdminPasswordGate.tsx The login form was printing both usernames and passwords in plain text below the form inputs. Every person who navigated to /instructor could read [Redacted by moderator - 2026/06/28] without entering anything. Removed entirely. Replaced with a generic "contact studio administrator" notice.
2. /instructor has no route guard — routes.ts Any URL-aware visitor could access the full Instructor Portal — student data, billing records, applications, session notes — with no authentication. Wrapped in AdminPasswordGate, which validates against the CMS user table (with hardcoded fallback credentials that are no longer visible on screen).
3. /cms-admin was also unprotected — routes.ts The CMS database admin tool, which includes the seed/reset function for the entire database, was sitting at a public URL. Also wrapped in AdminPasswordGate.
4. Student signup hardcoded 'Tristan' — StudentPortal.tsx Every self-registered student was created in Supabase Auth with the name "Tristan" regardless of who they were. Changed to derive a provisional name from the email local part (e.g., smith@gmail.com → "smith"). The instructor can update the real name when they create the student record in the CMS.
5. WaitlistTracker withdraw silently does nothing — WaitlistTracker.tsx The body was { status: 'withdrawn' } but the server endpoint reads body.data. The merge was { ...existing, ...undefined } — the record never changed, but the UI showed success. Fixed to { data: { status: 'withdrawn' } } and added response validation so errors surface instead of being swallowed.
Thankfully these are fixable security flaws...which isn’t remotely the point.
What the point is:
- Figma and other tech outfits are marketing LLMs as the lynchpin that allows non-dev, non-coder, non-engineering civilians to build data-driven ecommerce sites, mobile banking apps and even realtime LLM wingmen. (1)
- Figma Make is marketed to people who’ve never seen a real line of Python by promising that LLM-aided ‘vibe coding’ enables anyone with a couple hours and an idea to build a world-class app on their laptop.
- When Figma and other AI-boom hangers-on tell sub-novices--people with no clue whatsoever what’s involved in coding a serious web tool or mobile app--to ‘trust the vibe’ and let the LLM handle all the coding hassles as the novice vibes direction to FigMake: “There should be a video wall, and and endlessly scrolling wall, but only clips of people trying to feed bears in National Parks, and the bears always eats the idiots...”
It is admittedly amazing that FigMake could probably build exactly what this goofball wanted. Bears and all.
It is admittedly terrifying that FigMake would confidently translate vibes into well-formed code, code that actually would work.
Because.
If the novices trust their vibes coding, they clearly trust the LLM to generate code that won’t create exploitable vulnerabilities in the code they vibed.
And if the LLM isn’t proactively asking for/unilaterally conducting/highlighting the risks of ignoring what security means in web and app development, who else is there to advocate for security/safety?
I knew to do a surface code security assessment because as a young coder, the firm I worked at was obsessed with security, code resilience and the nightmarish scale of bad guys out there just waiting to find a sloppy coder’s unintended secret adversary entrance.
Bottom line:
- If the LLM doesn’t know (or isn’t enabled to champion) code resilience and online security...who else is going to take responsibility here?
- If app and site security actually are low priorities or code-derived exploits rarely happen...is that really an excuse to not do the right thing?
______________________________________________________________________________________
1. LLM Wingman App / Sitting in their pocket during dates, feeding the human replies to repeat to the woman so she’ll think, “Hmmm. I like a man who can think on his feet, and this man is standing, thinking...jackpot!”
