Audit Finds 40% of Public Lovable Apps Expose Databases Due to Missing Security Rules
A passive browser-based scan of 15 publicly deployed Lovable apps found that 6 of them load their Supabase database directly on the client side, exposing API keys in page source code. While this setup is not inherently unsafe, it becomes a serious vulnerability when Row-Level Security (RLS) is not properly configured. In two apps audited with owner permission, sensitive data — including user password hashes and an entire paid course catalogue of over 5,000 items — was freely accessible to unauthenticated users. Additionally, 14 of the 15 apps shipped with no Content-Security-Policy header, leaving them open to script injection attacks. The findings highlight a broader risk for apps built on no-code platforms like Lovable, Bolt, and Replit, where database access controls may be overlooked during development.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in