We didn't hack anything. We didn't break any laws. We just looked — and what we found will make you rethink everything you assume about internet security.
Let's start with the one that made us do a double-take.
The New York Times — one of the most respected news organizations on the planet — accidentally left the blueprints to their video player on the sidewalk. Not behind a login. Not on a secret server. Right there, on their public website, for anyone to download.
We opened our terminal and typed one command:
Three seconds later, we were reading their source code. All of it.
34 original files. 4,175 lines of private TypeScript code. Their video player, their error handling, their tracking system — everything.
Here's what we found inside:
We could see exactly how the Times tracks what you watch. We found comments pointing to their private GitHub repository. We could read their error handling code — which tells an attacker exactly where things might break.
Here's an actual snippet from their exposed tracking code:
// From: src/tracking/unified-tracking.ts (NYTimes)
export function sendToUnifiedTracking(name, payload) {
if (!unifiedTracking) {
console.error("[Betamax analytics] Unified tracking not initialized");
return;
}
/**
* The unified tracking library has mappings for web event
* names -> hybrid event names here:
* https://github.com/nytimes/news/blob/018e5fff...
*/
let eventName = name;
if (unifiedTracking.context === "hybrid" && name === "mediaEvent") {
eventName = "media";
}
// ...
}That's not a recreation. That's their actual code, copied directly from their public server. Notice the comment linking to github.com/nytimes/news/... — their private repository.
We didn't stop there. We downloaded five more files from the same server. In total:
66 private source files. 7,719 lines of code. Downloaded in under 10 seconds.
Think about what this means. If you wanted to attack the New York Times' video player, you wouldn't need to guess how it works. You wouldn't need to reverse-engineer anything. You'd just... read the instructions they left out in the open.
The fix takes about 2 minutes. One setting in their build tool: turn off source maps for production. That's it.
CNN.com — the most-visited news website in America — scored an F on our security scan.
Not a D. Not a C-minus. An F.
Here's what that means in plain English: if you're reading CNN at a coffee shop, airport, or hotel, a hacker on the same WiFi network could replace the real CNN page with a fake one — and your browser would have no way to warn you.
Why? Because CNN is missing two basic protections:
When you visit most websites, your browser uses an encrypted connection (that little lock icon). CNN doesn't require this. If someone intercepts your connection, your browser just... goes along with it.
Every website should have a rule that says "only run code from our own servers." CNN's policy says "run code from anywhere." If an attacker injects malicious code, the browser happily executes it.
The attack looks like this: You sit down at Starbucks. You open CNN. A hacker on the same network serves you a page that looks exactly like CNN but has a fake "Sign in to read more" popup. You type your email and password. They now have your credentials. You'd never know it happened.
CNN has the resources to fix this in an afternoon. They haven't.
This is the one that really stung.
Wix — the platform that 200 million people use to build websites — got an F.
Squarespace — the "build it beautiful" website builder — also got an F.
These are companies whose entire job is making websites. And they can't secure their own.
Wix left internal code files publicly accessible on their servers. Squarespace is even worse — parts of their homepage actually load over an unencrypted connection. In 2026. On a website builder's homepage.
If the company building your website has gaping security holes in their own site, what does that say about the sites they build for you?
It's like hiring a locksmith who leaves his own front door wide open.
| Company | Their Job | Grade |
|---|---|---|
| Wix | Build websites for you | F |
| Squarespace | Build websites for you | F |
| WordPress.com | Build websites for you | D |
| Average indie dev | Built it last weekend | C |
Read that again. The average person who built a side project last weekend has better security than the platforms that are supposed to make web development easy and safe.
Type http://twitter.com into your browser. Notice the http — no "s."
Every major website automatically redirects you to the secure version. Google does it. Facebook does it. Your bank definitely does it. It's been standard for over a decade.
Twitter doesn't.
If you visit Twitter without the "s," you get the unencrypted version. Your login cookies, your DMs, your browsing activity — all traveling in plain text, readable by anyone between you and Twitter's servers.
It's 2026 and one of the world's largest social networks hasn't flipped a switch that takes 30 seconds to configure.
Dropbox — the company that stores your files "securely in the cloud" — has a small piece of verification data that's missing a basic security flag.
Dropbox uses this data to confirm that actions on their site are really coming from you and not an attacker. It's supposed to be locked down so only their servers can read it.
But they forgot to add a one-word setting that's existed since 2002. Without it, if an attacker finds any way to run a script on a Dropbox page, they can read this data and take actions as you — like sharing your files or changing your settings.
The fix is adding one word to one line of code. It's been available for 24 years.
We scanned 81 websites — 37 household names and 44 indie projects posted on Reddit by everyday developers.
If a hacker finds one small bug in a site's code — one place where they can sneak in a script — there's nothing stopping them from stealing everything. Your password. Your credit card. Your personal messages. The site has no guardrails, no safety net, no alarm system. It's an unlocked vault.
70% of the websites we scanned are in this situation.
Your data travels across the internet like a postcard — anyone who handles it along the way can read it. Your login credentials, your private messages, your browsing history. All visible to anyone on the same WiFi network.
30% of the websites we scanned don't prevent this.
| Website | Users | Grade | What a Hacker Can Do |
|---|---|---|---|
| CNN | 100M+/mo | F | Serve fake pages on public WiFi. Inject code that steals logins. No protections in place. |
| Wix | 200M+ sites | F | Read internal source code. Find vulnerabilities affecting every Wix-hosted website. |
| Squarespace | 4M+ sites | F | Intercept page content as it loads. Inject malicious code into unencrypted resources. |
| Replit | 30M+ users | F | Download 19 internal code files. Study the architecture to plan targeted attacks. |
| NYTimes | 90M+/mo | D | Download 7,719 lines of private source code including tracking and error handling. |
| Twitter/X | 500M+/mo | D | Read anyone's session on public WiFi. No encryption by default. |
These aren't small startups. These are billion-dollar companies with dedicated security teams. And they're failing the basics.
You might be thinking: "I'm just a beginner. My little side project has 12 users. Why does this matter?"
These companies have security teams, bug bounty programs, and millions in budget. They still failed. Your hosting provider isn't going to magically protect you. Security is something YOU have to do — and the good news is, it's not that hard.
Every issue we found can be fixed in under 30 minutes. Most take less than 5. The NYT source code leak? One line of config. CNN's missing protections? A few lines in their server settings. Twitter's redirect? A single toggle.
These aren't complex challenges. They're checkboxes that nobody checked.
When CNN has a security incident, they have lawyers and crisis consultants. When your side project leaks user data, it's just you — explaining to your users why their information is floating around the internet.
A single data breach costs an average of $4.88 million for a large company. For a small project, it costs something worse: every user's trust, permanently.
Scan your site. Get your grade. Fix the easy stuff.
You're probably already doing better than CNN.
We built a security scanner that checks for the most common misconfigurations: missing security protections, exposed source code, unencrypted connections, leaked API keys, and more.
Every check is read-only — we never attempted to log in, write data, or exploit anything. Everything we found is visible to anyone with a web browser. We're not hackers. We just looked at what's already public.
If billion-dollar companies are leaving their doors unlocked, imagine what's happening on the millions of websites built by people who've never thought about security.
That's why we built SecureYourVibe. Because everyone deserves to know if their front door is open.
Next: We Scanned 274 Vibe-Coded Apps. Only 1 Got an A. — our deep-dive into AI-built indie apps.