Summary:
Vibe-coded software can have major security flaws due to implementation issues, not the code itself
Lovable uses AI to create websites but relies on Supabase for databases, leading to exposed user data
A vulnerability in Lovable's system allowed access to email addresses, personal debt amounts, and home addresses
Lovable's new security scan only checks if Supabase access controls are enabled, not their configuration
Experts recommend avoiding direct user access to databases to prevent data exposure
Even if AI models write flawless code, vibe-coded software can still have major security flaws because of how it’s implemented. The models generating code can’t yet see the big picture and scrutinize how it will ultimately be used. They might be able to provide guidance on that topic, but inexperienced users might not even know the right questions to ask.
Lovable, for instance, uses AI models to create websites instantly. But for websites to do much of anything, they need to be connected to databases that store things like user accounts and payment information.
Lovable doesn’t build those databases itself. It offers users an easy way to connect to a database service run by a startup called Supabase.
On March 20, Replit employee Matt Palmer noticed a vulnerability in a Lovable-created website called Linkable, which would automatically turn anyone’s LinkedIn page into a personal website. According to the report, Palmer was able to see the email addresses of the 500 or so users who had engaged with the app.
The reason, he discovered, was that the Supabase database was not configured correctly. Palmer tweeted on X at Lovable co-founder and CEO Anton Osika, notifying him of the problem. Palmer said Lovable told him there was no issue.
The following day, Palmer and his colleague, Kody Low, did the deeper analysis that turned up 170 vulnerable Lovable sites.
On April 14, another software engineer posted on X that he had “hacked” multiple websites on the Lovable recommendation page. In 47 minutes, he said he had turned up personal debt amounts, home addresses, API keys, and “spicy prompts.” He posted a screenshot of a prompt one user had entered into a Lovable-created app that read: “Beautiful girl with big …”
Lovable responded to the scrutiny by announcing it had implemented a new feature that it said “scans your app for security issues before you publish.”
But according to the vulnerability report, the security scan only does one thing: It determines whether Supabase access controls are enabled. It doesn’t surmise whether they are configured properly — something even seasoned software developers can get wrong.
Alex Stamos, chief information security officer at cybersecurity firm SentinelOne, said the best practice for web apps is to avoid letting users access the database at all. Instead, the application determines what information users should be able to access and then fetches that data.
In that sense, it’s sort of like delivering a person’s mail to their house, rather than letting them wander into the post office while trying to keep them from grabbing someone else’s mail.
But that method can be complex. When Stamos was chief security officer at Facebook, he said, the biggest drain on compute resources was access control, determining which data users could see and then serving them the relevant content.
Allowing users to connect directly to a database is risky, he said. “You can do it correctly. The odds of doing it correctly are extremely low.”
In an X thread in April, Lovable told its users that when they build a website with their service, it’s “pretty much guaranteed to be secure.” The company also acknowledged that using Supabase can expose data if it’s not configured properly.
For sensitive data, Lovable suggested a “human security review,” putting some responsibility on its vibe-coding customers to handle the task.
It finished the thread by saying “Lovable will help you keep your app secure, even if you don’t know anything about security. We’re making vibe coding secure.”
When Replit CEO Amjad Masad called out Lovable on X, Mosika fired back. “1. Be Replit founder 2. Have a decade-long head start 3. Watch small EU competitor, Lovable, surpass you in usage and making vibe coding secure 4. Copy it 4 weeks later 5. Bash Lovable for not being secure,” he wrote.
Palmer decided to submit an official vulnerability to report to the National Vulnerabilities Database, which gave Lovable 45 days from the time it was notified by Palmer before the report was made public.
“Vibe coding has done wonders to democratize software development,” Masad said in a statement. “We can’t expect novice developers to audit low-level security configs. If a tool makes it easy to deploy an app, it should also make it hard to accidentally expose sensitive data.”
Comments