Lovable platform faces scrutiny over app vulnerabilities and data leak

According to The Register, the vibe-coding platform Lovable is under fire after a security researcher discovered significant vulnerabilities in one of its hosted applications, leading to a data leak affecting over 18,000 users. The platform's stance that users are responsible for addressing security issues before publishing has drawn criticism.

Tech entrepreneur Taimur Khan identified 16 vulnerabilities, including six critical ones, in a Lovable-hosted app. The app, which had over 100,000 views, utilized Supabase for its backend, handling authentication and data storage. Khan found that when AI or human developers fail to explicitly implement security features like row-level security, flawed code can be generated. In this case, a malformed authentication function incorrectly blocked authenticated users while allowing unauthorized access. This vulnerability could have allowed attackers to access user records, send bulk emails, delete accounts, and view sensitive PII, including data from users at institutions like UC Berkeley and UC Davis, and potentially minors from K-12 schools.

This incident highlights broader concerns surrounding AI-generated code and the security of low-code/no-code platforms. While Lovable states that apps undergo a security scan before publishing, it places the onus on users to implement recommendations.

Source: The Register