Lovable AI coding platform faces scrutiny over data exposure

As detailed in The Register, the AI coding platform Lovable is facing criticism following a researcher's discovery of a significant security flaw. The vulnerability allowed unauthorized access to sensitive user information, including credentials, chat history, and source code, through free accounts.

A security researcher, operating under the handle @weezerOSINT, reported that a simple free account on Lovable provided access to other users' source code and database credentials. The issue stemmed from a Broken Object Level Authorization (BOLA) vulnerability, where API endpoints lacked proper ownership validation.

Lovable's initial response attributed the exposure to unclear documentation and "intentional behavior," later shifting blame to its bug bounty partner, HackerOne. The company's statements evolved, with Lovable eventually apologizing for its earlier responses and acknowledging a mistake in its permission handling that accidentally re-enabled access to public project chats.

Source: The Register