DrawAFish.com Postmortem

Original Article ↗ Hacker News Discussion ↗

Role of “vibe coding” and LLMs in the failure

  • Several commenters note that some bugs (e.g., leftover “test admin” access, incomplete token checks) are extremely common even in non-AI, “properly designed” systems.
  • Others argue this is exactly the risk of vibe coding: fast prototypes get mistaken for production systems, and issues like the JWT bug are less likely with an experienced security-conscious dev.
  • One view: the core problem is human incompleteness, not LLMs; an LLM could even have been prompted to do a security review.
  • Counterview: unlike a compiler, LLMs can silently introduce subtle vulnerabilities; users tend to treat them as hands-off despite warnings, similar to self-driving cars.
  • Some expect LLMs to produce merely “mid” quality code (average developer level), so such flaws are predictable; others say that’s not how AI is being marketed.
  • Firebase is called out as a repeated source of “footguns” in vibecoded apps, muddying how much blame belongs to AI vs. platform defaults.
  • Multiple people generalize this to “broken/missing authentication/access control” being the most common real-world vuln, with or without AI.

Nature of the vandalism and community reaction

  • Eyewitnesses describe a screen full of offensive fish: slurs, swastikas, national flags with caricatured features—likened to a 4chan wall but with fish.
  • Some readers wanted screenshots out of curiosity or dark humor; others felt that seeking more detail was just rubbernecking at a car crash.
  • A few continue to find and post links to borderline/filtered fish (e.g., swastika shapes embedded in fish, mild profanity).

Fun, harm, and user psychology

  • Many found the site delightfully silly and the postmortem unusually thoughtful for a side project.
  • One camp argues low-stakes, playful apps like this net more joy than harm and that the web needs more “silly apps from silly people.”
  • Another camp counters that once it becomes a conduit for hate speech, that calculus is no longer obvious.
  • Several commenters admit an instinct to probe or bypass filters (e.g., drawing “penis-looking” fish that evade detection).

Security responses and doxxing

  • Commenters highlight that someone used the same exploit to undo vandalism, tying it to a long history of “worm that patches” behavior and law-enforcement countermeasures.
  • Doxxing is said not to be typical for HN itself, but plausible when a site gets cross-posted to harassment-focused communities that enjoy breaking moderation, finding admin panels, and posting personal info.

Design, UX, and implementation details

  • Suggestions include adding a flip/mirror option for fish drawings and reconsidering the anonymous, rate-limited voting model (fun but abusable, and unfair under CGNAT).
  • Some ask clarifying questions on the JWT flaw; the key issue is that the server trusted any valid admin token for admin actions without ensuring it belonged to the authenticated user.