Lovable accused of hosting malware-ridden apps exposing thousands of users

Female Programmer Coding on Desktop Computer With Six Displays in Dark Office — (Image credit: Shutterstock)

One Lovable-built app included 6 critical vulnerabilities, and 10 more
170 of Lovable's 1,645 apps were found with critical flaws
AI code might look right and function, but it might not be secure

Vibe coding platform Lovable has been accused of hosting insecure apps after security researcher Taimur Khan found one Lovable-showcased app (EdTech) to contain 16 vulnerabilities, six of which critical.

Khan outlined how the app exposed more than 18,000 user records, including teachers and students from major universities and schools.

Due to the faulty access controls, anyone could view all user data, delete accounts, change credit balances, send bulk emails and access courses and grade submissions without actually logging in.

Lovable-showcased app vulnerability affected 18,000+

According to Khan, the core bug was a simple logic error. "The logic says: if you're a logged-in user, deny access," he wrote. The bug "might have slipped through AI code generation without proper review," he wrote, indicating that a human reviewer would likely have caught (or not even introduced in the first place) such an error.

The AI-generated backend code looked entirely functional, however it had not been securely configured.

Though this report only relates to one Lovable app, Khan worries that similar mistakes could happen more broadly. "A security researcher scanned 1,645 apps built with Lovable and found 170 of them had critical flaws," Khan wrote.

He described AI-generated code as a "risk," not a "shortcut," criticizing vibe code for creating output that looks correct, executes successfully and returns polished-looking user interfaces without necessarily being secure.

Additionally, Khan introduced the concept of 'vibe hacking', whereby less technically-minded hackers are able to exploit AI-generated code on the basis that "AI-generated code defaults to functionality over security."

Acknowledging vibe coding's role in the industry, he called for platforms like Lovable to scan apps and build stronger security defaults into AI-generated code. Developers should implement proper security reviews and remember that, just because code works, it might not be secure.

"Any project built with Lovable includes a free security scan before publishing," a Lovable spokesperson added (via The Register), admitting that it's a developer's discretion to implement Lovable's recommendations.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.