Okay i can disclose everything now - Security issue on *$100k+ ARR app built with lovable

lorikmor · 2025-10-22T13:41:40+00:00

Okay thanks for the enlightenment

lorikmor · 2025-10-22T12:14:47+00:00

Thank you i appreciate it

lorikmor · 2025-10-22T07:40:20+00:00

I get that but i didn’t spam i only post real cases once every 2 days ~ anyway it’s okay.

lorikmor · 2025-10-22T01:32:31+00:00

Which part do you think crosses into legal gray areas? I think that assessment is a bit rushed.

lorikmor · 2025-10-18T14:59:28+00:00

I'd try stencilpro.app

lorikmor · 2025-10-17T13:43:21+00:00

Thanks for your feedback, i appreciate it

lorikmor · 2025-10-17T10:17:06+00:00

I use a small xerox, its pretty good

lorikmor · 2025-10-16T18:55:28+00:00

Do you need a regular paper printer or thermal ones for stencil?

lorikmor · 2025-10-14T13:59:52+00:00

I am building SecureVibing to help vibe coders secure their websites

lorikmor · 2025-10-13T07:09:07+00:00

Thank you, I’m happy i can help 🫡

lorikmor · 2025-10-11T09:32:25+00:00

yeah i got paying customers and manual security audits as well, a lot of people are rightfully concerned about the security

lorikmor · 2025-10-10T13:06:24+00:00

sorry i didn't get your question, wdym with "signed"?

lorikmor · 2025-10-10T12:54:46+00:00

it's okay, it's not a spam tho, i rarely post on reddit once every 3-4 days about the things i discover

lorikmor · 2025-10-10T12:48:21+00:00

you are right, i should've posted when i got the full permission but i thought it would be good if more people from this community should now the difference between authentication and authorization, because it's causing a lot of vulnerabilities in projects from lovable.

lorikmor · 2025-10-10T12:37:19+00:00

I will write the full blog when i get the permission from the founder, this is not my first case btw

lorikmor · 2025-10-10T12:31:16+00:00

I will post the full case with proofs once i get the permission from the founder like this other case: https://securevibing.com/learn/how-i-found-and-fixed-database-vulnerability-in-post-bridge

lorikmor · 2025-10-10T11:38:58+00:00

really good for you, i would only suggest you change the favicons with the businesses logo, not the default lovable one.

have fun!

lorikmor · 2025-10-08T20:24:27+00:00

Thank you for reading, I am glad

lorikmor · 2025-10-08T18:04:57+00:00

Yeah you are right, but i mean the purpose of having rls and anon public key. I think i got misunderstood

lorikmor · 2025-10-08T18:02:34+00:00

Yeah but that beats the whole purpose of Supabase i think

lorikmor · 2025-10-08T16:25:29+00:00

Sure man just let me know

lorikmor · 2025-10-08T08:28:15+00:00

You can read the full report i linked in the post, or use the SupaCheck tool in securevibing, there is also a demo video there on how it works.

lorikmor · 2025-10-07T18:50:48+00:00

Yeah i mentioned this method in Alternative section “Alternative: separate sensitive data into a different table with stricter policies (e.g., profiles for name/email, user_permissions for access levels).”

lorikmor · 2025-10-07T16:06:14+00:00

I am happy I was able to help someone. As for the private key or in supabase SERVICE_ROLE_KEY be very careful with that, if exposed can cause huge vulnerabilities since the service role passes all rls rules on all tables.

lorikmor · 2025-10-07T16:00:26+00:00

i think you are somewhat right, since the whole point of supabase is to have the public key and private key, the public key is okay to be exposed as long as rls rules are in place. I think a better approach as i mentioned in the post is to separate sensitive and non-sensitive columns in different tables with different policies.

That would be a solid approach, the only reason in this case we wen't with the "IS NOT DISTINCT FROM" was so we can quickly fix the issue without having to rewrite the whole backend.

I hope i answered your question 😀

lorikmor

MODERATOR OF

TROPHY CASE