Tools: Vibe Coded Lovable-hosted App Littered With Basic Flaws Exposed 18k...
Vibe-coding platform Lovable has been accused of hosting apps riddled with vulnerabilities after saying users are responsible for addressing security issues flagged before publishing.
Taimur Khan, a tech entrepreneur with a background in software engineering, found 16 vulnerabilities – six of which he said were critical – in a single Lovable-hosted app that leaked more than 18,000 people's data.
He declined to name the app during the disclosure process, although it was hosted on Lovable's platform and showcased on its Discover page. The app had more than 100,000 views and around 400 upvotes at the time Khan began his probe.
The main issue, Khan said, was that all apps that are vibe-coded on Lovable's platform are shipped with their backends powered by Supabase, which handles authentication, file storage, and real-time updates through a PostgreSQL database connection.
However, when the developer – in this case AI – or the human project owner fails to explicitly implement crucial security features like Supabase's row-level security and role-based access, code will be generated that looks functional but in reality is flawed.
One example of this was a malformed authentication function. The AI that vibe-coded the Supabase backend, which uses remote procedure calls, implemented it with flawed access control logic, essentially blocking authenticated users and allowing access to unauthenticated users.
Khan said the intent was to block non-admins from accessing parts of the app, but the faulty implementation blocked all logged-in users – an error he said was repeated across multiple critical functions.
"This is backwards," said Khan. "The guard blocks the people it should allow and allows the people it should block. A classic logic inversion that a human security reviewer would catch in seconds – but an AI code generator, optimizing for 'code that works,' produced and deployed to production."
Because the app itself was a platform for creating exam questions and viewing grades, the userbase is naturally comprised of teachers and students. Some were from top US universities such as UC Berkeley and UC Davis, while there were "K-12 institutions with minors likely on the platform" as well, Khan said.
With the security flaws in place, an unauthenticated attacker could trivially access every user record, send bulk emails through the platform, delete any user account, grade student test submissions, and access organizations' admin emails, for example.
Source: HackerNews
