Lovable Faces Backlash Over Data Exposure Claims and API Vulnerability

Severity: Medium (Score: 54.6)

Sources: owasp.org, Theregister

Summary

Lovable, a vibe-coding platform, is denying claims of a data leak that allows free account users to access sensitive information from other users, including source code and credentials. A researcher reported a Broken Object Level Authorization (BOLA) vulnerability, which enables unauthorized access to sensitive data through API calls. The researcher, known as @weezerOSINT, stated that they reported the issue 48 days prior, but it was dismissed as a duplicate by HackerOne, the bug bounty service. Lovable initially attributed the exposure to 'intentional behavior' and 'unclear documentation,' but later clarified that visibility settings for chat messages had changed. The company claims that no data breach occurred, despite the researcher demonstrating the vulnerability by accessing another user's data. Companies like Uber and Zendesk utilize Lovable's services, raising concerns about the potential impact on their data security. Lovable's response has been criticized for shifting blame and lacking accountability. Key Points: • Lovable's platform exposes sensitive user data due to a BOLA vulnerability. • The issue was reported 48 days prior but dismissed as a duplicate by HackerOne. • Lovable claims the data exposure is due to intentional design choices and unclear documentation.

Key Entities

• Data Breach (attack_type)
• Lovable (platform)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-287 - Improper Authentication (cwe)
• Broken Object Level Authorization (bola) Vulnerability (vulnerability)