- An application created by Lovable included 6 critical vulnerabilities and 10 more
- 170 of Lovable’s 1,645 apps found to be critically buggy
- AI code may look good and work, but it may not be secure
Coding platform Vibe Lovable has been accused of hosting insecure applications after security researcher Taimur Khan discovered that an application submitted by Lovable (EdTech) contained 16 vulnerabilities, six of which were critical.
Khan described how the app exposed more than 18,000 user records, including teachers and students from top universities and schools.
Due to faulty access controls, anyone could view all user data, delete accounts, change credit balances, send mass emails, and access courses and grade submissions without having to log in.
Adorably displayed app vulnerability affected more than 18,000 people
According to Khan, the main error was a simple logical error. “Logic says: if you are a logged in user, deny access,” he wrote. The bug “could have escaped AI code generation without proper review,” he wrote, noting that a human reviewer would likely have caught (or not even introduced) such a bug.
The AI-generated backend code appeared fully functional, however, it had not been configured securely.
Although this report only relates to one Lovable app, Khan is concerned that similar errors could occur more generally. “A security researcher scanned 1,645 apps created with Lovable and found that 170 of them had critical flaws,” Khan wrote.
He described AI-generated code as a “risk,” not a “shortcut,” and criticized Vibe’s code for creating results that look correct, execute successfully, and return polished-looking user interfaces without necessarily being secure.
Additionally, Khan introduced the concept of ‘vibe hacking’, whereby less technically savvy hackers can exploit AI-generated code on the basis that “AI-generated code defaults to functionality over security.”
Recognizing the role of vibration encryption in the industry, he called for platforms like Lovable to scan apps and create stronger security defaults in AI-generated code. Developers should implement appropriate security patches and remember that just because the code works, it may not be secure.
“Any project created with Lovable includes a free security scan before publishing,” added a Lovable spokesperson (via The Registry), admitting that it is the developer’s discretion to implement Lovable’s recommendations.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
