Vibe coded Lovable-hosted app littered with basic flaws exposed 18K users

https://www.theregister.com/2026/02/27/lovable_app_vulnerabilities/

51•nottorp•1h ago

Comments

carlgreene•40m ago

The hardest part about this stuff is that as a user, you don't necessarily know if an app is vibe-coded or not. Previously, you were able to have _some_ reasonable expectation of security in that trained engineers were the ones building these things out, but that's no longer the case.

There's a lot of cool stuff being built, but also as a user, it's a scary time to be trying new things.

yoyohello13•35m ago

Yeah, my trust for new open source projects is in the toilet. Hopefully we will eventually start taking security seriously again after the vibe code gold rush.

esseph•26m ago

> Hopefully we will eventually start taking security seriously again after the vibe code gold rush.

Companies don't take security seriously now (and predating vibe coding)

ctoth•35m ago

I'm sorry, what?

> Previously, you were able to have _some_ reasonable expectation of security in that trained engineers were the ones building these things

When was this? What world? Did I skip worldlines? Is this a new Universe?

The world I remember is that anybody could write a program and put it on the Internet. Is this not the world you remember?

Further, when those engineers were "trained" ... were there no data breaches before 2022?

carlgreene•27m ago

Of course there were. Don't be pedantic. Anybody could write a program and put it on the internet. But to get a reasonably polished version with decent features and an enjoyable UX enough for someone to sign up and even pay money more, it generally took people who kind of knew what they were doing.

Of course shortcuts were taken. They always were and always will be. But don't try to compare shipping software today to even just 3 years ago.

kimixa•23m ago

Yes - AI has completely destroyed the set of "Signals" people used to judge quality of much software. They weren't ever 100% accurate, sure, but they were often pretty good heuristics for "level of care", what the devs considered important (or didn't consider important) and similar.

And I mean that as both "end user" software signals, and "library" signals for other devs.

I assume that set of signals will slowly be updated. If one of those ends up being "Any Use of AI At All" is still an open question, depending on if the promised hype actually ends up meeting capability as much as anything.

ch4s3•31m ago

I've been thinking a bit about how to do security well with my generated code. I've been using tools that check deps for CVEs, static tools that check for sql injection and similar problems, and baking some security requirements into the specs I hand claude. I can't tell yet if this is better than what I did before or just theater. It seems like in this case you'd need/want to specify some tests around access.

I'm interested to hear how other people approach this.

ctoth•28m ago

Same way you handle preserving any other property you want to preserve while "vibecoding" -- ensure tests capture it, ensure the tests can't be skipped. It really is this simple.

s_ting765•21m ago

Ask the LLM to create for you a POC for the vulnerability you have in mind. Last time I did this I had to repeatedly make a promise to the LLM that it was for educational purposes as it assumed this information is "dangerous".

julianlam•25m ago

> One example of this was a malformed authentication function. The AI that vibe-coded the Supabase backend, which uses remote procedure calls, implemented it with flawed access control logic, essentially blocking authenticated users and allowing access to unauthenticated users.

Actually sounds like a typical mistake a human developer would make. Forget a `!` or get confused for a second about whether you want true or false returned, and the logic flips.

The difference is a human is more likely to actually test the output of the change.

firefoxd•22m ago

Lovable is marketed to non developers, so their core users wouldn't understand a security flow if it flashed red. A lot of my non dev friends were posting their cool new apps they built on LinkedIn last year [0]. Several were made on lovable. It's not on their users to understand these flaws

The apps all look the same with a different color palette, and makes for an engaging AI post on LinkedIn. Now they are mostly abandoned, waiting for the subscription to expire... and their personal data to get exposed I guess

[0]: https://idiallo.com/blog/my-non-programmer-friends-built-app...

alfiedotwtf•19m ago

Developers with decades of experience still make basic security holes. The general public are screwed once they start hosting their own apps and serving on the Internet.

cube00•3m ago

There's something so innocent about the early days when even Microsoft thought we'd be running Personal Web Servers and hosting our own websites in a peer-to-peer fashion.

These days you wouldn't dare run publicly exposed services from your workstation.

The Personal Web Server is ideal for intranets, homes, schools, small business workgroups and anyone who wants to set up a personal Web server.

https://news.microsoft.com/source/1996/10/24/microsoft-annou...

melecas•14m ago

Vibe coding democratized shipping without democratizing the accountability. The 18,000 users absorbed the downside of a risk they didn't know they were taking.

Smol Phone

A risky maneuver could send a spacecraft to interstellar comet 3I/ATLAS

Block spent $68M on a single party in September 2025

How Do You Build Brand Loyalty with an Agent?

Rules for Aging: A Wry and Witty Guide to Life

AI Killed My SaaS

Google Wants to Control Your Device – JMP

Show HN: Org-people.el- contact management for org-mode

Dan Simmons, author of Hyperion, Song of Kali, dead at 77

It Can Now Be Plainly Said: Trump Is Planning a November Coup D'État

Kinesis Advantage 360: 2 Years In

Pediatric society recommends cholesterol screening for kids between 2 – 10 years

What Claude Code Chooses

An AI agent coding skeptic tries AI agent coding, in excessive detail

Something Flipped in December: AI Coding's Six-Month Reversal

Unsaturable LLM Benchmark – Rating LLM Skill, Reliability, and Metacognition

Show HN: SnapMyApp – App Store screenshot maker with Quick and Advanced editing

Show HN: Zero – offline, privacy-first expense tracker

Could a biocomputer made from human brain cells play DOOM?

Don't run OpenClaw on your main machine

BeerPAN 35mm SLR Makes Panoramic Film Photography Accessible

Ask HN: Do you find Analytics dashboards cluttered?

Michael Jordan's Real Legacy

Stay Green

The world's first hydrogen double-decker bus fleet dropped

Gartner: Market Guide for API and MCP Testing Tools

Your Device Identity Is Probably a Liability

Show HN: DiagramIDE – a Rust GUI to Compose Diagrams via Tcl, Prolog, and Pikchr

The indie publisher Tyrant Books is returning, under new ownership

Giving AI Agents SSH access without giving them your secret keys