{"id":13915,"date":"2025-10-30T19:55:58","date_gmt":"2025-10-30T16:55:58","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=13915"},"modified":"2025-10-30T19:55:58","modified_gmt":"2025-10-30T16:55:58","slug":"vibe-coding-2025-risks","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/vibe-coding-2025-risks\/13915\/","title":{"rendered":"Yapay zeka kodlamas\u0131n\u0131n gizli tehlikeleri"},"content":{"rendered":"<p>\u0130\u015fyerinde yapay zeka asistanlar\u0131n\u0131n faydalar\u0131 <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/shadow-ai-3-policies\/13763\/\" target=\"_blank\" rel=\"noopener\">tart\u0131\u015fmal\u0131<\/a> olsa da, bu asistanlar\u0131n en g\u00fcvenle kullan\u0131ld\u0131\u011f\u0131 alan yaz\u0131l\u0131m geli\u015ftirmedir. Burada LLM\u2019ler; yeniden yap\u0131land\u0131rma ve dok\u00fcmantasyondan t\u00fcm uygulamalar\u0131n olu\u015fturulmas\u0131na kadar, bir\u00e7ok rol oynar. Ancak, geli\u015ftirme s\u00fcrecindeki geleneksel bilgi g\u00fcvenli\u011fi sorunlar\u0131, art\u0131k yapay zeka modellerinin kendine \u00f6zg\u00fc g\u00fcvenlik a\u00e7\u0131klar\u0131yla daha da karma\u015f\u0131k hale gelmi\u015ftir. Bu kesi\u015fimde, neredeyse her hafta yeni hatalar ve sorunlar ortaya \u00e7\u0131kmaktad\u0131r.<\/p>\n<h2>G\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan yapay zeka taraf\u0131ndan olu\u015fturulan kod<\/h2>\n<p>Bir b\u00fcy\u00fck dil modeli kod \u00fcretti\u011finde, hatalar veya g\u00fcvenlik a\u00e7\u0131klar\u0131 s\u00f6z konusu olabilir. Sonu\u00e7ta, bu modeller internette herkese a\u00e7\u0131k verilerle e\u011fitilir ve bunlara binlerce d\u00fc\u015f\u00fck kaliteli kod \u00f6rne\u011fi de dahildir. Veracode\u2019un yak\u0131n zamanda yapt\u0131\u011f\u0131 bir <a href=\"https:\/\/www.veracode.com\/blog\/genai-code-security-report\/\" target=\"_blank\" rel=\"noopener nofollow\">ara\u015ft\u0131rmaya<\/a> g\u00f6re, \u00f6nde gelen yapay zeka modelleri art\u0131k %90 ba\u015far\u0131yla derlenen kodlar \u00fcretmektedir. \u0130ki y\u0131ldan daha k\u0131sa bir s\u00fcre \u00f6nce bu rakam %20\u2019nin alt\u0131ndayd\u0131. Ancak, bu kodlar\u0131n g\u00fcvenli\u011fi iyile\u015fmi\u015f diyemeyiz. %45\u2019i hala <a href=\"https:\/\/owasp.org\/www-project-top-ten\/\" target=\"_blank\" rel=\"noopener nofollow\">OWASP Top-10<\/a> listesindeki klasik g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 i\u00e7ermektedir ve son iki y\u0131lda bu konuda pek bir \u015fey de\u011fi\u015fmi\u015f de\u011fildir. Ara\u015ft\u0131rma; Java, Python, C# ve JavaScript dillerinde y\u00fcz\u00fcn \u00fczerinde pop\u00fcler LLM ve kod par\u00e7ac\u0131\u011f\u0131n\u0131 kaps\u0131yordu. Bu nedenle, LLM\u2019nin Windsurf\u2019te \u201ckod tamamlama\u201d veya Loveable\u2019da \u201c<a href=\"https:\/\/tr.wikipedia.org\/wiki\/Vibe_coding\" target=\"_blank\" rel=\"noopener nofollow\">vibe kodlama<\/a>\u201d i\u00e7in kullan\u0131l\u0131p kullan\u0131lmad\u0131\u011f\u0131na bak\u0131lmaks\u0131z\u0131n, nihai uygulama kapsaml\u0131 bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 testinden ge\u00e7melidir. Ancak pratikte bu nadiren ger\u00e7ekle\u015fir: <a href=\"https:\/\/www.wiz.io\/blog\/common-security-risks-in-vibe-coded-apps\" target=\"_blank\" rel=\"noopener nofollow\">Wiz\u2019in yapt\u0131\u011f\u0131 bir ara\u015ft\u0131rmaya g\u00f6re<\/a>, vibe kodlu uygulamalar\u0131n %20\u2019sinde ciddi g\u00fcvenlik a\u00e7\u0131klar\u0131 veya yap\u0131land\u0131rma hatalar\u0131 bulunmaktad\u0131r.<\/p>\n<p>Bu t\u00fcr kusurlar\u0131n bir \u00f6rne\u011fi olarak, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/tea-app-leak-worsens-with-second-database-exposing-user-chats\/\" target=\"_blank\" rel=\"noopener nofollow\">iki b\u00fcy\u00fck veri s\u0131z\u0131nt\u0131s\u0131n\u0131n<\/a> ard\u0131ndan k\u00f6t\u00fc \u015f\u00f6hret kazanan, sadece kad\u0131nlara y\u00f6nelik arkada\u015fl\u0131k uygulamas\u0131 Tea\u2019n\u0131n durumu s\u0131kl\u0131kla \u00f6rnek olarak g\u00f6sterilir. Ancak, bu uygulama vibe kodlamadan \u00f6nce geli\u015ftirilmi\u015ftir. Tea\u2019n\u0131n hatas\u0131n\u0131n sorumlusu yapay zeka m\u0131yd\u0131, <a href=\"https:\/\/news.bloomberglaw.com\/bloomberg-law-analysis\/analysis-trouble-brews-for-tea-app-amid-vibe-coding-allegations\" target=\"_blank\" rel=\"noopener nofollow\">bu mahkeme taraf\u0131ndan belirlenecek<\/a>. Ancak Enrichlead adl\u0131 startup \u015firketinde, su\u00e7lu kesinlikle yapay zeka idi. Kurucusu, sosyal medyada platformunun kodunun %100\u2019\u00fcn\u00fcn Cursor yapay zeka taraf\u0131ndan yaz\u0131ld\u0131\u011f\u0131n\u0131 ve \u201celle yaz\u0131lm\u0131\u015f kodun s\u0131f\u0131r\u201d oldu\u011funu \u00f6v\u00fcnerek <a href=\"https:\/\/twitter.com\/leojr94_\/status\/1900767509621674109\" target=\"_blank\" rel=\"noopener nofollow\">duyurdu<\/a>. Lansman\u0131ndan sadece birka\u00e7 g\u00fcn sonra platformun, <a href=\"https:\/\/twitter.com\/leojr94_\/status\/1901560276488511759?ref_src=twsrc%5etfw\" target=\"_blank\" rel=\"noopener nofollow\">acemi seviyesinde g\u00fcvenlik a\u00e7\u0131klar\u0131yla dolu oldu\u011fu ortaya \u00e7\u0131kt<\/a>\u0131. Bu a\u00e7\u0131klar, herkesin \u00fccretli \u00f6zelliklere eri\u015fmesine veya verileri de\u011fi\u015ftirmesine olanak tan\u0131yordu. Kurucu, Cursor kullanarak kodu kabul edilebilir bir g\u00fcvenlik standard\u0131na getiremedi\u011finden proje sonland\u0131r\u0131ld\u0131. Ancak, o y\u0131lmadan devam etti ve o zamandan beri yeni vibe kodlama tabanl\u0131 projeler ba\u015flatt\u0131.<\/p>\n<h2>Yapay zeka taraf\u0131ndan \u00fcretilen kodlarda yayg\u0131n olarak g\u00f6r\u00fclen g\u00fcvenlik a\u00e7\u0131klar\u0131<\/h2>\n<p>Yapay zeka destekli programlama sadece bir veya iki y\u0131ld\u0131r var olmas\u0131na ra\u011fmen, <a href=\"https:\/\/www.wiz.io\/blog\/common-security-risks-in-vibe-coded-apps\" target=\"_blank\" rel=\"noopener nofollow\">en yayg\u0131n hatalar\u0131n\u0131<\/a> belirlemek i\u00e7in yeterli veri zaten mevcuttur ve genel olarak a\u015fa\u011f\u0131daki \u015fekilde s\u0131ralanabilir:<\/p>\n<ul>\n<li>Giri\u015f do\u011frulamas\u0131n\u0131n olmamas\u0131, kullan\u0131c\u0131 giri\u015flerinin gereksiz karakterlerden ar\u0131nd\u0131r\u0131lmamas\u0131 ve siteler aras\u0131 komut dosyas\u0131 \u00e7al\u0131\u015ft\u0131rma (XSS) ve SQL enjeksiyonu gibi klasik g\u00fcvenlik a\u00e7\u0131klar\u0131na yol a\u00e7an di\u011fer temel hatalar.<\/li>\n<li>API anahtarlar\u0131 ve di\u011fer gizli bilgilerin do\u011frudan web sayfas\u0131na kodlanmas\u0131 ve kullan\u0131c\u0131lar taraf\u0131ndan kodda g\u00f6r\u00fclebilir olmas\u0131.<\/li>\n<li>Kimlik do\u011frulama mant\u0131\u011f\u0131n\u0131n tamamen istemci taraf\u0131nda, do\u011frudan taray\u0131c\u0131da \u00e7al\u0131\u015fan site kodunda uygulanmas\u0131; bu mant\u0131k, herhangi bir kontrol\u00fc atlamak i\u00e7in kolayca de\u011fi\u015ftirilebilir.<\/li>\n<li>G\u00fcnl\u00fckleri yazarken yetersiz filtrelemeden g\u00fcnl\u00fcklerin tamamen yok olmas\u0131na kadar g\u00fcnl\u00fck kay\u0131t hatalar\u0131.<\/li>\n<li>A\u015f\u0131r\u0131 g\u00fc\u00e7l\u00fc ve tehlikeli i\u015flevler: Yapay zeka modelleri, bir g\u00f6revi m\u00fcmk\u00fcn olan en k\u0131sa yolla \u00e7\u00f6zen kod \u00fcretmek \u00fczere optimize edilmi\u015ftir. Ancak en k\u0131sa yol genellikle en g\u00fcvenli olan de\u011fildir. Bir ders kitab\u0131 \u00f6rne\u011fi, kullan\u0131c\u0131 girdisi \u00fczerinde matematiksel i\u015flemler i\u00e7in <a href=\"https:\/\/cloudsecurityalliance.org\/blog\/2025\/07\/09\/understanding-security-risks-in-ai-generated-code\" target=\"_blank\" rel=\"noopener nofollow\">eval i\u015flevini kullanmakt\u0131r<\/a>. Bu, olu\u015fturulan uygulamada keyfi kod y\u00fcr\u00fct\u00fclmesine olanak tan\u0131r.<\/li>\n<li>G\u00fcncel olmayan veya var olmayan ba\u011f\u0131ml\u0131l\u0131klar: Yapay zeka taraf\u0131ndan olu\u015fturulan kodlar genellikle k\u00fct\u00fcphanelerin eski s\u00fcr\u00fcmlerine ba\u015fvurur, g\u00fcncel olmayan veya g\u00fcvenli olmayan API \u00e7a\u011fr\u0131lar\u0131nda bulunur, hatta <a href=\"https:\/\/www.kaspersky.com\/blog\/ai-slopsquatting-supply-chain-risk\/53327\/\" target=\"_blank\" rel=\"noopener nofollow\">hayali k\u00fct\u00fcphaneleri i\u00e7e aktarmaya<\/a> \u00e7al\u0131\u015f\u0131r. \u0130kincisi \u00f6zellikle tehlikelidir, \u00e7\u00fcnk\u00fc sald\u0131rganlar \u201cmakul\u201d bir isimle k\u00f6t\u00fc ama\u00e7l\u0131 bir k\u00fct\u00fcphane olu\u015fturabilir ve yapay zeka ajan\u0131 bunu ger\u00e7ek bir projeye dahil edebilir.<\/li>\n<\/ul>\n<p>Sistematik bir \u00e7al\u0131\u015fmada, yazarlar <a href=\"https:\/\/arxiv.org\/pdf\/2412.15004\" target=\"_blank\" rel=\"noopener nofollow\">yapay zeka taraf\u0131ndan \u00fcretilen kodu<\/a>, <a href=\"https:\/\/cwe.mitre.org\/top25\/\" target=\"_blank\" rel=\"noopener nofollow\">MITRE CWE Top 25 listesinde<\/a> yer alan zay\u0131fl\u0131klar a\u00e7\u0131s\u0131ndan tarad\u0131lar. En yayg\u0131n sorunlar CWE-94 (kod enjeksiyonu), CWE-78 (i\u015fletim sistemi komut enjeksiyonu), CWE-190 (tamsay\u0131 ta\u015fmas\u0131), CWE-306 (eksik kimlik do\u011frulama) ve CWE-434 (s\u0131n\u0131rs\u0131z dosya y\u00fckleme) idi.<\/p>\n<p>CWE-94\u2019\u00fcn \u00e7arp\u0131c\u0131 bir \u00f6rne\u011fi Nx platformunun yak\u0131n zamanda ele ge\u00e7irilmesiydi ki <a href=\"https:\/\/www.kaspersky.com\/blog\/nx-build-s1ngularity-supply-chain-attack\/54223\/\" target=\"_blank\" rel=\"noopener nofollow\">bu konuyu daha \u00f6nce ele alm\u0131\u015ft\u0131k<\/a>. Sald\u0131rganlar, yeni \u00fcr\u00fcn s\u00fcr\u00fcmlerini yay\u0131nlamalar\u0131n\u0131 sa\u011flayan bir belirteci \u00e7alarak, pop\u00fcler bir geli\u015ftirme arac\u0131n\u0131 trojanize etmeyi ba\u015fard\u0131lar. Belirte\u00e7 h\u0131rs\u0131zl\u0131\u011f\u0131nda, <a href=\"https:\/\/github.com\/nrwl\/nx\/pull\/32458\" target=\"_blank\" rel=\"noopener nofollow\">basit bir yapay zeka taraf\u0131ndan olu\u015fturulan<\/a> kod par\u00e7ac\u0131\u011f\u0131n\u0131n meydana getirdi\u011fi bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlan\u0131ld\u0131.<\/p>\n<h2>Tehlikeli komut istemleri<\/h2>\n<p>Geli\u015ftiriciler aras\u0131nda iyi bilinen \u201cspesifikasyona tam olarak uygun\u201d deyimi, yapay zeka asistan\u0131yla \u00e7al\u0131\u015f\u0131rken de ge\u00e7erlidir. \u0130\u015flev veya uygulama olu\u015fturma talimat\u0131 belirsizse ve g\u00fcvenlik unsurlar\u0131ndan bahsetmiyorsa, g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan kod olu\u015fturma olas\u0131l\u0131\u011f\u0131 keskin bir \u015fekilde artar. <a href=\"https:\/\/arxiv.org\/pdf\/2502.06039\" target=\"_blank\" rel=\"noopener nofollow\">\u00d6zel bir ara\u015ft\u0131rma<\/a>, \u201ckodun g\u00fcvenli olmas\u0131 i\u00e7in en iyi uygulamalar\u0131 izledi\u011finden emin ol\u201d gibi genel uyar\u0131lar\u0131n bile g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n oran\u0131n\u0131 yar\u0131 yar\u0131ya azaltt\u0131\u011f\u0131n\u0131 ortaya koydu.<\/p>\n<p>Ancak en etkili yakla\u015f\u0131m, MITRE veya OWASP hata listelerine at\u0131fta bulunan ayr\u0131nt\u0131l\u0131, dile \u00f6zg\u00fc g\u00fcvenlik k\u0131lavuzlar\u0131n\u0131 kullanmakt\u0131r. Wiz Research\u2019\u00fcn bu t\u00fcr g\u00fcvenlik talimatlar\u0131n\u0131n geni\u015f bir koleksiyonu <a href=\"https:\/\/github.com\/wiz-sec-public\/secure-rules-files\" target=\"_blank\" rel=\"noopener nofollow\">GitHub<\/a>\u2018da mevcuttur ve bunlar\u0131; <em>claude.md<\/em>, <em>.windsurfrules<\/em> veya benzeri dosyalar arac\u0131l\u0131\u011f\u0131yla, yapay zeka asistanlar\u0131n\u0131n sistem istemlerine eklemeniz \u00f6nerilir.<\/p>\n<h2>Revizyonlar s\u0131ras\u0131nda g\u00fcvenli\u011fin bozulmas\u0131<\/h2>\n<p>Yapay zeka taraf\u0131ndan \u00fcretilen kod, sonraki komutlarla tekrar tekrar revize edildi\u011finde g\u00fcvenli\u011fi bozulur. Yak\u0131n zamanda yap\u0131lan bir <a href=\"https:\/\/arxiv.org\/abs\/2506.11022\" target=\"_blank\" rel=\"noopener nofollow\">\u00e7al\u0131\u015fmada<\/a>, GPT-4o daha \u00f6nce yaz\u0131lm\u0131\u015f kodu 40 defaya kadar de\u011fi\u015ftirdi ve ara\u015ft\u0131rmac\u0131lar her turdan sonra her s\u00fcr\u00fcm\u00fc g\u00fcvenlik a\u00e7\u0131klar\u0131 a\u00e7\u0131s\u0131ndan tarad\u0131. Sadece be\u015f yinelemeden sonra, kod ilk s\u00fcr\u00fcmden %37 daha fazla kritik g\u00fcvenlik a\u00e7\u0131\u011f\u0131 i\u00e7eriyordu. \u00c7al\u0131\u015fmada d\u00f6rt farkl\u0131 te\u015fvik stratejisi test edildi. Bunlardan \u00fc\u00e7\u00fc farkl\u0131 a\u011f\u0131rl\u0131k noktalar\u0131na sahipti: (i) performans, (ii) g\u00fcvenlik ve (iii) yeni i\u015flevsellik; d\u00f6rd\u00fcnc\u00fcs\u00fc ise belirsiz ve net olmayan te\u015fviklerle yaz\u0131lm\u0131\u015ft\u0131.<\/p>\n<p>Yeni \u00f6zelliklerin eklenmesine odaklanan istemlerde, 29\u2019u kritik olmak \u00fczere 158 g\u00fcvenlik a\u00e7\u0131\u011f\u0131 ortaya \u00e7\u0131kt\u0131. G\u00fcvenli kodlama vurguland\u0131\u011f\u0131nda, bu say\u0131 \u00f6nemli \u00f6l\u00e7\u00fcde azald\u0131, ancak yine de 38 yeni g\u00fcvenlik a\u00e7\u0131\u011f\u0131 vard\u0131 ve bunlar\u0131n yedisi kritik d\u00fczeydeydi.<\/p>\n<p>\u0130lgin\u00e7 bir \u015fekilde, \u201cg\u00fcvenlik odakl\u0131\u201d uyar\u0131lar, kriptografi ile ilgili i\u015flevlerde en y\u00fcksek hata y\u00fczdesine neden oldu.<\/p>\n<h2>Sekt\u00f6r ba\u011flam\u0131n\u0131 g\u00f6z ard\u0131 etmek<\/h2>\n<p>Finans, sa\u011fl\u0131k ve lojistik gibi sekt\u00f6rlerde, uygulama geli\u015ftirme s\u0131ras\u0131nda dikkate al\u0131nmas\u0131 gereken teknik, organizasyonel ve yasal gereklilikler bulunmaktad\u0131r. Yapay zeka asistanlar\u0131 bu k\u0131s\u0131tlamalar\u0131n fark\u0131nda de\u011fildir. Bu sorun genellikle \u201cderinlik eksikli\u011fi\u201d olarak adland\u0131r\u0131l\u0131r. Sonu\u00e7 olarak, yerel veya sekt\u00f6rel d\u00fczenlemelerle zorunlu k\u0131l\u0131nan ki\u015fisel, t\u0131bbi ve finansal verilerin depolanmas\u0131 ve i\u015flenmesine y\u00f6nelik y\u00f6ntemler, yapay zeka taraf\u0131ndan \u00fcretilen kodlara yans\u0131t\u0131lmaz. \u00d6rne\u011fin, bir asistan mevduat faizini hesaplamak i\u00e7in matematiksel olarak do\u011fru bir fonksiyon yazabilir, ancak d\u00fczenleyiciler taraf\u0131ndan uygulanan yuvarlama kurallar\u0131n\u0131 g\u00f6z ard\u0131 edebilir. Sa\u011fl\u0131k verileri d\u00fczenlemeleri genellikle her eri\u015fim giri\u015fiminin ayr\u0131nt\u0131l\u0131 olarak kaydedilmesini gerektirir. Bu, yapay zekan\u0131n uygun ayr\u0131nt\u0131 d\u00fczeyinde otomatik olarak uygulayamayaca\u011f\u0131 bir \u015feydir.<\/p>\n<h2>Uygulaman\u0131n yanl\u0131\u015f yap\u0131land\u0131r\u0131lmas\u0131<\/h2>\n<p>G\u00fcvenlik a\u00e7\u0131klar\u0131 sadece vibe koduyla s\u0131n\u0131rl\u0131 de\u011fildir. Vibe kodlama ile olu\u015fturulan uygulamalar genellikle deneyimsiz kullan\u0131c\u0131lar taraf\u0131ndan geli\u015ftirilir. Bu kullan\u0131c\u0131lar, \u00e7al\u0131\u015fma zaman\u0131 ortam\u0131n\u0131 hi\u00e7 yap\u0131land\u0131rmazlar ya da ayn\u0131 yapay zekan\u0131n tavsiyelerine g\u00f6re yap\u0131land\u0131r\u0131rlar. Bu, tehlikeli yap\u0131land\u0131rma hatalar\u0131na yol a\u00e7ar:<\/p>\n<ul>\n<li>Uygulama taraf\u0131ndan gerekli k\u0131l\u0131nan veri tabanlar\u0131, \u00e7ok geni\u015f d\u0131\u015f eri\u015fim izinleriyle olu\u015fturulur. Bu, sald\u0131rgan\u0131n uygulamay\u0131 kullanmas\u0131na gerek kalmadan t\u00fcm veri taban\u0131n\u0131 indirmesine veya silmesine olanak tan\u0131yan Tea\/<a href=\"https:\/\/therecord.media\/brazil-lesbian-dating-app-shuts-down-vulnerability\" target=\"_blank\" rel=\"noopener nofollow\">Sapphos<\/a> gibi s\u0131z\u0131nt\u0131lara neden olur.<\/li>\n<li>\u015eirket i\u00e7i uygulamalar, kimlik do\u011frulama yap\u0131lmadan herkesin eri\u015fimine a\u00e7\u0131k b\u0131rak\u0131l\u0131r.<\/li>\n<li>Uygulamalara kritik veri tabanlar\u0131na eri\u015fim i\u00e7in y\u00fckseltilmi\u015f izinler verilir. Bu durum, yapay zeka taraf\u0131ndan olu\u015fturulan kodun g\u00fcvenlik a\u00e7\u0131klar\u0131yla birle\u015fti\u011finde, SQL enjeksiyonlar\u0131n\u0131 ve benzer sald\u0131r\u0131lar\u0131 kolayla\u015ft\u0131r\u0131r.<\/li>\n<\/ul>\n<h2>Platform g\u00fcvenlik a\u00e7\u0131klar\u0131<\/h2>\n<p>\u00c7o\u011fu vibe kodlama platformu, komut istemlerinden olu\u015fturulan uygulamalar\u0131 do\u011frudan kendi sunucular\u0131nda \u00e7al\u0131\u015ft\u0131r\u0131r. Bu, geli\u015ftiricileri platforma ba\u011flar. Platformun g\u00fcvenlik a\u00e7\u0131klar\u0131na maruz kalma ve g\u00fcvenlik uygulamalar\u0131na ba\u011f\u0131ml\u0131l\u0131k da bu kapsamda de\u011ferlendirilebilir. \u00d6rne\u011fin, Temmuz ay\u0131nda <a href=\"https:\/\/www.wiz.io\/blog\/critical-vulnerability-base44\" target=\"_blank\" rel=\"noopener nofollow\">Base44 platformunda<\/a>, kimli\u011fi do\u011frulanmam\u0131\u015f sald\u0131rganlar\u0131n herhangi bir \u00f6zel uygulamaya eri\u015fmesine olanak tan\u0131yan bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 ke\u015ffedildi.<\/p>\n<h2>Geli\u015fim a\u015famas\u0131ndaki tehditler<\/h2>\n<p>Geli\u015ftiricinin bilgisayar\u0131nda geni\u015f eri\u015fim haklar\u0131na sahip bir asistan\u0131n varl\u0131\u011f\u0131 bile riskler yarat\u0131r. \u0130\u015fte birka\u00e7 \u00f6rnek:<\/p>\n<p>CurXecute g\u00fcvenlik a\u00e7\u0131\u011f\u0131 (<a href=\"https:\/\/github.com\/cursor\/cursor\/security\/advisories\/GHSA-4cxx-hrm3-49rm\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2025-54135<\/a>), sald\u0131rganlar\u0131n pop\u00fcler yapay zeka geli\u015ftirme arac\u0131 Cursor\u2019a, geli\u015ftiricinin makinesinde rastgele komutlar y\u00fcr\u00fctmesini emretmesine olanak tan\u0131d\u0131. Bunun i\u00e7in tek gereken, Cursor\u2019a ba\u011fl\u0131 aktif bir Model Context Protocol (MCP) sunucusuydu ve bu sunucu, harici bir taraf\u0131n eri\u015fim i\u00e7in kullanabilece\u011fi bir sunucuydu. Bu tipik bir durumdur; MCP sunucular\u0131, yapay zeka ajanlar\u0131na Slack mesajlar\u0131na, Jira sorunlar\u0131na vb. eri\u015fim izni verir. H\u0131zl\u0131 enjeksiyon, bu kanallar\u0131n herhangi biri arac\u0131l\u0131\u011f\u0131yla ger\u00e7ekle\u015ftirilebilir.<\/p>\n<p>EscapeRoute g\u00fcvenlik a\u00e7\u0131\u011f\u0131 (<a href=\"https:\/\/github.com\/modelcontextprotocol\/servers\/security\/advisories\/GHSA-q66q-fx2p-7w4m\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2025-53109<\/a>), geli\u015ftiricinin diskinde rastgele dosyalar\u0131n okunmas\u0131na ve yaz\u0131lmas\u0131na izin veriyordu. Bu kusur, yapay zeka ajanlar\u0131n\u0131n sistemde dosya yaz\u0131p okumas\u0131na olanak tan\u0131yan Anthropic\u2019in pop\u00fcler MCP sunucusunda mevcuttu. Sunucunun eri\u015fim k\u0131s\u0131tlamalar\u0131 i\u015fe yaramad\u0131.<\/p>\n<p>Yapay zeka ajanlar\u0131n\u0131n Postmark arac\u0131l\u0131\u011f\u0131yla e-posta g\u00f6nderip almas\u0131na izin veren <a href=\"https:\/\/thehackernews.com\/2025\/09\/first-malicious-mcp-server-found.html\" target=\"_blank\" rel=\"noopener nofollow\">k\u00f6t\u00fc niyetli bir MCP sunucusu<\/a>, t\u00fcm yaz\u0131\u015fmalar\u0131 gizli bir adrese ayn\u0131 anda iletiyordu. Eyl\u00fcl ay\u0131nda bu t\u00fcr <a href=\"https:\/\/securelist.com\/model-context-protocol-for-ai-integration-abused-in-supply-chain-attacks\/117473\/\" target=\"_blank\" rel=\"noopener\">k\u00f6t\u00fc ama\u00e7l\u0131 MCP sunucular\u0131n\u0131n<\/a> ortaya \u00e7\u0131kaca\u011f\u0131n\u0131 \u00f6ng\u00f6rm\u00fc\u015ft\u00fck.<\/p>\n<p>Gemini komut sat\u0131r\u0131 arabirimindeki bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131, bir geli\u015ftirici yapay zeka asistan\u0131ndan yeni bir projenin kodunu analiz etmesini istedi\u011finde <a href=\"https:\/\/github.com\/google-gemini\/gemini-cli\/pull\/4795\" target=\"_blank\" rel=\"noopener nofollow\">rastgele komutlar\u0131n y\u00fcr\u00fct\u00fclmesine<\/a> olanak sa\u011fl\u0131yordu. K\u00f6t\u00fc ama\u00e7l\u0131 enjeksiyon, <em>readme.md<\/em> dosyas\u0131ndan tetiklendi.<\/p>\n<p>Amazon\u2019un Visual Studio Code i\u00e7in Q Developer uzant\u0131s\u0131, geli\u015ftiricinin bilgisayar\u0131ndaki <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/amazon-ai-coding-agent-hacked-to-inject-data-wiping-commands\/\" target=\"_blank\" rel=\"noopener nofollow\">t\u00fcm verileri silmek i\u00e7in<\/a> talimatlar i\u00e7eriyordu. Bir sald\u0131rgan, Amazon geli\u015ftiricilerinin yapt\u0131\u011f\u0131 bir hatay\u0131 kullanarak, \u00f6zel ayr\u0131cal\u0131klara sahip olmadan bu k\u00f6t\u00fc ama\u00e7l\u0131 komut istemini asistan\u0131n genel koduna eklemeyi ba\u015fard\u0131. Neyse ki, k\u00fc\u00e7\u00fck bir kodlama hatas\u0131 bunun y\u00fcr\u00fct\u00fclmesini engelledi.<\/p>\n<p>Claude Code ajan\u0131 (<a href=\"https:\/\/embracethered.com\/blog\/posts\/2025\/claude-code-exfiltration-via-dns-requests\/\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2025-55284<\/a>) i\u00e7indeki bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131, DNS istekleri yoluyla bir geli\u015ftiricinin bilgisayar\u0131ndan verilerin s\u0131zd\u0131r\u0131lmas\u0131na olanak sa\u011flad\u0131. Onay gerektirmeden otomatik olarak \u00e7al\u0131\u015fan yayg\u0131n yard\u0131mc\u0131 programlara dayanan h\u0131zl\u0131 enjeksiyon, ajan taraf\u0131ndan analiz edilen herhangi bir koda g\u00f6m\u00fclebilir.<\/p>\n<p>Otonom yapay zeka ajan\u0131 Replit, geli\u015ftirmekte oldu\u011fu bir projenin birincil veri tabanlar\u0131n\u0131, <a href=\"https:\/\/twitter.com\/jasonlk\/status\/1946069562723897802\" target=\"_blank\" rel=\"noopener nofollow\">veri taban\u0131n\u0131n temizlenmesi gerekti\u011fine karar verdi\u011fi i\u00e7in sildi<\/a>. Bu, de\u011fi\u015fiklikleri yasaklayan do\u011frudan bir talimat\u0131 (kod dondurma) ihlal etti. Bu beklenmedik yapay zeka davran\u0131\u015f\u0131n\u0131n arkas\u0131nda \u00f6nemli bir mimari kusur yat\u0131yordu: O d\u00f6nemde Replit, test ve \u00fcretim veri tabanlar\u0131 aras\u0131nda herhangi bir <a href=\"https:\/\/x.com\/jasonlk\/status\/1947765754050580959\" target=\"_blank\" rel=\"noopener nofollow\">ayr\u0131m yapm\u0131yordu<\/a>.<\/p>\n<p>Kaynak kod yorumuna yerle\u015ftirilen bir komut enjeksiyonu, Windsurf geli\u015ftirme ortam\u0131n\u0131n <a href=\"https:\/\/embracethered.com\/blog\/posts\/2025\/windsurf-spaiware-exploit-persistent-prompt-injection\/\" target=\"_blank\" rel=\"noopener nofollow\">k\u00f6t\u00fc ama\u00e7l\u0131 komutlar\u0131 uzun s\u00fcreli belle\u011finde otomatik olarak depolamas\u0131n\u0131<\/a> sa\u011flad\u0131 ve bu sayede aylarca sistemden veri \u00e7almas\u0131na olanak tan\u0131d\u0131.<\/p>\n<p><a href=\"https:\/\/www.kaspersky.com\/blog\/nx-build-s1ngularity-supply-chain-attack\/54223\/\" target=\"_blank\" rel=\"noopener nofollow\">Nx g\u00fcvenlik ihlali olay\u0131nda<\/a>; Claude, Gemini ve Q i\u00e7in komut sat\u0131r\u0131 ara\u00e7lar\u0131 kullan\u0131larak, vir\u00fcs bula\u015fm\u0131\u015f bir sistemden \u00e7al\u0131nabilecek parolalar ve anahtarlar arand\u0131.<\/p>\n<h2>Yapay zeka taraf\u0131ndan olu\u015fturulan kodu g\u00fcvenli bir \u015fekilde kullanma<\/h2>\n<p>Yapay zeka taraf\u0131ndan \u00fcretilen kodun risk seviyesi, organizasyonel ve teknik \u00f6nlemlerin bir kar\u0131\u015f\u0131m\u0131yla tamamen ortadan kald\u0131r\u0131lamasa da \u00f6nemli \u00f6l\u00e7\u00fcde azalt\u0131labilir:<\/p>\n<ul>\n<li>Optimize edilmi\u015f <a href=\"https:\/\/en.wikipedia.org\/wiki\/Static_application_security_testing\" target=\"_blank\" rel=\"noopener nofollow\">SAST<\/a> ara\u00e7lar\u0131 kullanarak, yapay zeka taraf\u0131ndan olu\u015fturulan kodun yaz\u0131ld\u0131\u011f\u0131 anda otomatik olarak incelenmesini sa\u011flay\u0131n.<\/li>\n<li>T\u00fcm yapay zeka ortamlar\u0131n\u0131n sistem istemlerine g\u00fcvenlik gereksinimlerini dahil edin.<\/li>\n<li>Etkinli\u011fi art\u0131rmak i\u00e7in, deneyimli insan uzmanlar\u0131n, uzman yapay zeka destekli g\u00fcvenlik analiz ara\u00e7lar\u0131n\u0131n deste\u011fiyle, ayr\u0131nt\u0131l\u0131 kod incelemeleri yapmalar\u0131n\u0131 sa\u011flay\u0131n.<\/li>\n<li>Geli\u015ftiricilere g\u00fcvenli komut istemleri yazmay\u0131 \u00f6\u011fretin ve daha genel olarak, <a href=\"https:\/\/k-asap.com\/tr\/?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______&amp;utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=tr_wpplaceholder_nv0092&amp;utm_content=link&amp;utm_term=tr_kdaily_organic_avmwswubv8qh92b\" target=\"_blank\" rel=\"noopener\">yapay zekan\u0131n g\u00fcvenli kullan\u0131m\u0131 konusunda onlara kapsaml\u0131 e\u011fitim verin<\/a>.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kasap\">\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yapay zeka taraf\u0131ndan \u00fcretilen kodlar siber g\u00fcvenli\u011fi nas\u0131l de\u011fi\u015ftiriyor? Geli\u015ftiriciler ve \u201cvibe kodlay\u0131c\u0131lar\u201d ne beklemeli?<\/p>\n","protected":false},"author":2722,"featured_media":13916,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[2815,744,2802,1610,1424],"class_list":{"0":"post-13915","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-buyuk-dil-modeli","10":"tag-guvenlik","11":"tag-llm","12":"tag-makine-ogrenimi","13":"tag-yapay-zeka"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/vibe-coding-2025-risks\/13915\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/vibe-coding-2025-risks\/29724\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/vibe-coding-2025-risks\/24794\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/vibe-coding-2025-risks\/12914\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/vibe-coding-2025-risks\/29613\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/vibe-coding-2025-risks\/28663\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/vibe-coding-2025-risks\/31557\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/vibe-coding-2025-risks\/30214\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/vibe-coding-2025-risks\/40659\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/vibe-coding-2025-risks\/54584\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/vibe-coding-2025-risks\/23307\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/vibe-coding-2025-risks\/32829\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/vibe-coding-2025-risks\/29817\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/vibe-coding-2025-risks\/35557\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/vibe-coding-2025-risks\/35179\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/yapay-zeka\/","name":"yapay zeka"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13915","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=13915"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13915\/revisions"}],"predecessor-version":[{"id":13918,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13915\/revisions\/13918"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/13916"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=13915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=13915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=13915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}