Vibe coded Lovable-hosted app littered with basic flaws exposed 18K users
Source: Hacker News
Vibe‑coding platform Lovable has been accused of hosting apps riddled with vulnerabilities after saying users are responsible for addressing security issues flagged before publishing.
Taimur Khan, a tech entrepreneur with a background in software engineering, found 16 vulnerabilities – six of which he said were critical – in a single Lovable‑hosted app that leaked more than 18,000 people’s data.
- He declined to name the app during the disclosure process, although it was hosted on Lovable’s platform and showcased on its Discover page.
- The app had >100 k views and around 400 up‑votes at the time Khan began his probe.
Main issue
Khan said the problem stems from the fact that all apps vibe‑coded on Lovable’s platform are shipped with back‑ends powered by Supabase, which handles authentication, file storage, and real‑time updates through a PostgreSQL database connection.
When the developer – in this case an AI – or the human project owner fails to explicitly implement crucial security features such as Supabase’s row‑level security and role‑based access, the generated code looks functional but is actually flawed.
Example: malformed authentication function
The AI that vibe‑coded the Supabase back‑end (which uses remote procedure calls) implemented the authentication function with faulty access‑control logic, essentially:
- Blocking authenticated users
- Allowing unauthenticated users
Khan explained:
“The intent was to block non‑admins from accessing parts of the app, but the faulty implementation blocked all logged‑in users – an error repeated across multiple critical functions.
‘This is backwards,’ said Khan. ‘The guard blocks the people it should allow and allows the people it should block. A classic logic inversion that a human security reviewer would catch in seconds – but an AI code generator, optimizing for “code that works,” produced and deployed to production.’”
Because the app itself was a platform for creating exam questions and viewing grades, the user base naturally comprised teachers and students – some from top US universities such as UC Berkeley and UC Davis, and “K‑12 institutions with minors likely on the platform,” Khan noted.
Impact of the flaws
With the security flaws in place, an unauthenticated attacker could:
- Access every user record
- Send bulk emails through the platform
- Delete any user account
- Grade student test submissions
- Access organizations’ admin emails
Data exposed
| Category | Count |
|---|---|
| Total user records | 18,697 |
| Unique email addresses | 14,928 |
| Student accounts (with emails) | 4,538 |
| Enterprise users | 10,505 |
| Users with full PII exposed | 870 |
Broader context
The security flaws are not exclusive to apps hosted by Lovable; the issue is broader and well‑documented.
- Vibe coding, Collins Dictionary’s Word of the Year for 2025, promised to break down software development’s steep learning curve and empower any “prompt jockey” to bring app ideas to life.
- When AI isn’t generating slop bug reports in pursuit of lucrative bug bounties or catastrophically forgoing instructions, it can spew glitzy‑looking apps laden with vulnerabilities.
Recent related stories
- Bcachefs creator insists his custom LLM is female and “fully conscious”
- IBM stock dives after Anthropic points out AI can rewrite COBOL fast
- Amazon’s vibe‑coding tool Kiro reportedly vibed too hard and brought down AWS
- Agile Manifesto turns 25 – just in time for vibe coding to test it
Veracode recently found that 45 % of AI‑generated code contained security flaws (source), not to mention the myriad tales of woe reported by The Register in recent months.
Khan’s stance
Khan believes Lovable should take responsibility for the security of the apps it hosts. He was especially peeved when, after reporting his findings via company support, his ticket was reportedly closed without response.
“If Lovable is going to market itself as a platform that generates production‑ready apps with authentication ‘included,’ it bears some responsibility for the security posture of the apps it generates and promotes.
You can’t showcase an app to 100 k people, host it on your own infrastructure, and then close the ticket when someone tells you it’s leaking user data. At minimum, a basic security scan of showcased applications would have caught every critical finding in this report.”
Lovable’s response
Lovable told The Register that the company has contacted the owner of the app in question and takes “any findings of this kind extremely seriously.”
Regarding the closed ticket, Lovable CISO Igor Andriushchenko said the company only received “a proper disclosure report” on the evening of 26 February and acted on the findings “within minutes.”
“Any project built with Lovable includes a free security scan before publishing,” Andriushchenko told The Register. “This scan checks for vulnerabilities and, if found, provides recommendations on actions to take to resolve before publishing. Ultimately, it is at the discretion of the user to implement these recommendations.”
Recommendations
In this case, that implementation did not happen.
“This project also includes code not generated by Lovable and the vulnerable database is not hosted by Lovable. We have been in contact with the creator of the app, who is now addressing the issue.”