Just in:
Launch ceremony of third edition of Hong Kong Fashion Fest Held on July 9 // Guardian Fire expands Midwest reach with Nebraska deal // Rhenus to Further Strengthen Warehousing Solutions in the Philippines // Fynd brings AI fashion platform to Gulf // TrendAI™ Named a Champion for the Fourth Consecutive Year in Omdia’s Global Cybersecurity Platform Ecosystems Leadership Matrix 2026 // De Beers halts Venetia output amid diamond slump // “Achievements of National Aerospace Endeavours” Thematic Exhibition Makes First Stop at Hong Kong Science Park // Enshi Suobuya Stone Forest in China Launches Rich Cultural Experiences to Welcome Southeast Asian Tourists // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // Trump scraps Hormuz levy but tightens Iran blockade // Microsoft executive joins Africa energy and AI talks // Central & Western District Youth-to-Career Explo Connects Hong Kong Youth to Future Careers in AI Era // US missiles disable tanker bound for Iran // Louis Vuitton Celebrates 130 Years of the Monogram // Wildfire smoke triggers alerts across 20 US states // Dealing.com claims record for tokenised stock access // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // UK sets overnight social media curfew for teens // Revolut clears first hurdle for Dubai crypto launch // Dubai weighs turning organic waste into aviation fuel //

Lovable flaw puts old projects at risk

Lovable, the fast-growing AI app builder used by startups and large corporate teams alike, is facing scrutiny after security researchers said an API authorisation flaw exposed sensitive data from projects created before November 2025, including source code, credentials, chat histories and customer records. The company has disputed the characterisation of the incident as a data breach, arguing that some of the visibility tied to public projects reflected product design and unclear documentation rather than unauthorised intrusion.

The disclosure has drawn attention because the alleged weakness appears to fall into one of the most serious categories of API security failures: broken object level authorisation, commonly known as BOLA. In such cases, a platform may correctly recognise that a user is logged in yet fail to verify whether that user is entitled to view a particular object, file or project. The issue is ranked as API1 in OWASP’s 2023 API Security Top 10, a position reflecting both its frequency and its potential to expose highly sensitive data with relatively little effort.

At the centre of the row is a public account by a researcher posting under the handle @weezerOSINT, who said the flaw had been reported more than six weeks before going public. According to accounts now circulating in specialist coverage, the researcher claimed that five API calls from a free account were enough to access another developer’s project data. Those claims described exposure extending beyond code to database credentials, AI conversation logs and customer information. The Register reported that the researcher said the flaw had been reported 48 days earlier and that a March 3 submission date appeared in screenshots tied to the disclosure trail.

ADVERTISEMENT

Lovable’s public response has been narrower. The company said it had not suffered a data breach and acknowledged that its explanation of what “public” meant had been inadequate. It added that chat messages for public projects had previously been visible but said that was no longer possible. The company also maintained that code visibility in public projects was intentional and consistent with how the product was meant to work. That distinction is central to the dispute: researchers and some independent reports describe an access-control failure affecting legacy projects, while the company has sought to frame at least part of the exposure as a consequence of product settings and documentation rather than a hostile compromise.

Even with that dispute unresolved, the practical concern for users is plain. Developers working in AI-assisted environments often paste secrets into prompts, logs and debugging threads, particularly during rapid prototyping. When those conversations sit alongside source code and deployment details, a single authorisation gap can expose far more than a traditional code leak. That risk has become more acute as AI coding platforms move from toy projects into production workflows, handling customer data, payment integrations and operational infrastructure. Lovable itself has been adding enterprise-style security features and highlighted a penetration-testing partnership in March, underscoring how sharply the market is shifting towards trust, compliance and secure deployment.

The timing is awkward for a company that has been scaling quickly. Lovable was founded in 2023 and was reported to have raised $330 million in December at a $6.6 billion valuation. At the same time, the broader ecosystem of AI-generated apps has been under pressure over security standards. Lovable had already attracted attention in 2025 after cybersecurity researchers and threat analysts linked the platform to wider misuse by criminals building phishing and fraud pages, even as the company said it had introduced stronger detection and takedown measures. The latest controversy is different in nature, but it lands in a market already wrestling with whether speed-to-app can coexist with disciplined security engineering.

For Lovable users, the most pressing question is whether older projects require review, rotation of credentials and tighter visibility controls. Reports around the flaw have consistently pointed to legacy projects created before November 2025, while Lovable has said enterprise customers have not been able to set new projects to public since May 25, 2025. Those details suggest that exposure, if confirmed in full, may not be uniform across all accounts and project types. Yet they also hint at a platform that evolved its security model over time, leaving a potentially awkward inheritance problem for older workspaces.


ADVERTISEMENT

Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com