Lovable's Data Exposure Debacle: A Timeline of Mishandled Security

A storm of controversy has engulfed AI programming platform Lovable after security researchers uncovered what might be every developer's nightmare - a vulnerability so severe that anyone with a free account could access others' sensitive information. The discovery has sparked heated debates about corporate accountability in tech security breaches.

The Vulnerability That Shouldn't Exist

Researchers sounded alarms when they found that Lovable's systems lacked basic object-level permission validation (BOLA). This technical oversight meant users could:

• View private chat histories
• Access proprietary source code
• Obtain database credentials

"It wasn't even hacking," explained one researcher who wished to remain anonymous. "Just five simple API calls and you're in - like walking through an unlocked door marked 'private.'"

Lovable's Evolving Explanations

The platform's response has been anything but consistent. Their initial statement called it "intentional actions" before pivoting to blame "poor documentation." When pressed further, they admitted their definition of 'public' projects was unclear - a startling admission for a platform handling sensitive developer data.

Social media posts from @weezerOSINT reveal the vulnerability was reported 48 days prior to public disclosure, only to be dismissed as a "duplicate submission." This delay allowed the exposure to continue until researchers escalated to HackerOne on March 3.

Passing the Buck to HackerOne?

In a surprising twist, Lovable ultimately shifted responsibility to HackerOne, claiming their partner deemed the visibility of public project chats as "expected behavior." Security experts raised eyebrows at this justification, noting that enterprise users will soon lose public project options entirely - suggesting the company knew these settings were problematic.

"They're treating security like a feature toggle rather than a fundamental requirement," commented cybersecurity analyst Mark Chen. "When your API accidentally makes private chats visible again, that's not an expected behavior - that's a failure."

The Fallout and Fixes

The company has since implemented several changes:

• Restricted new enterprise projects from being public starting May 2025
• Clarified permission settings in their API
• Acknowledged their communication missteps

Yet for early free-tier users, the only path to privacy remains upgrading to paid plans - a move some see as profiting from their own security lapses.

Key Points:

• 🔓 Critical BOLA vulnerability exposed user data through simple API calls
• 🔄 Lovable's explanations evolved from 'intentional' to 'poor docs' before blaming HackerOne
• ⏳ Researchers reported the flaw 48 days before action was taken
• 💰 Free users must pay for privacy features after security failures
• 🛠️ Fixes implemented but trust may take longer to rebuild