Lovable's Public Project Setting Revealed Sensitive Data, Sparking Debate on AI Development Security

A security researcher recently demonstrated how a free account on the AI development platform Lovable could, with minimal effort, access a trove of sensitive information from public user projects. The data reportedly included source code, database credentials, AI chat histories, and internal details from employees at companies like Microsoft and Uber. The researcher, posting as @weezerOSINT, described the incident as a 'mass data leak,' a claim that spread rapidly online and prompted a wave of concern among developers.

Lovable, the Stockholm-based startup valued at $6.6 billion, responded forcefully, stating it had not suffered a breach. The company explained that code visibility on public projects was an intentional feature, similar to public repositories on GitHub. However, they later acknowledged a separate, accidental backend change in February that had temporarily re-exposed chat histories on older public projects, which was since corrected.

The situation highlights a core tension in so-called 'vibe-coding' platforms that prioritize rapid application development through conversational AI. For many early users, the distinction between a 'public' app and a publicly visible development workspace—complete with chat logs where developers often paste API keys and schema details—was not clear. Lovable has since made projects private by default and disabled public options for enterprise users, but the episode exposed a significant misunderstanding.

Security analysts point to a Broken Object Level Authorization flaw, where the platform's API did not properly verify a user's right to access specific project contents. This incident is part of a pattern; earlier vulnerabilities and third-party apps built on Lovable have previously leaked data, raising questions about whether security scrutiny can keep pace with the speed of AI-assisted development.

While Lovable maintains its enterprise customers were not affected and has thanked external researchers, the event serves as a stark reminder for businesses. As AI tools accelerate software creation, the policies governing data visibility and the security of the development environment itself require explicit attention and clear communication to users.

Source: Webpronews