AI Programming Platform Lovable Claims No Data Leak, Instead Shifts Blame to HackerOne

Recently, the AI coding platform Lovable has been in controversy due to a security vulnerability. Researchers revealed on social media that anyone who creates a free account on their service can access other users' sensitive information, including credentials, chat records, and source code. Lovable initially responded by stating that the data leak was due to "intentional actions" and "poor documentation," but their statements have kept changing.

According to researcher @weezerOSINT, they reported the vulnerability 48 days ago, but Lovable marked it as a "duplicate submission" and did not address it. The researcher then submitted the report to HackerOne, with a submission date of March 3rd. Subsequent posts showed that the AI system continued to leak users' secrets and personal data.

This vulnerability stemmed from "lack of object-level permission validation" (BOLA), allowing users to access or modify other users' sensitive data. Researchers stated that no malicious hacking was needed; just five API calls were enough to obtain someone's profile, public projects, and source code, and extract database credentials.

Although Lovable did not respond to inquiries from "Registration," on social media, Lovable for the first time acknowledged concerns about the visibility of chat messages and code, and stated, "We have not experienced a data breach." Subsequently, the company shifted responsibility to poor documentation, admitting, "Our definition of 'public' was not clear enough, which was our mistake."

Lovable explained that enterprise users would no longer be able to set new projects as public starting May 25, 2025, but early free users had no option to create private projects and needed to upgrade to a paid plan. The company ultimately admitted that a permission setting issue in the API caused chat records to become visible again accidentally.

In handling this vulnerability, Lovable pointed out that HackerOne's partner considered viewing chat records of public projects as an expected behavior, so no further action was taken. HackerOne did not respond publicly after the initial investigation.

Lovable thanked the researchers who discovered the vulnerability and promised to do better in the future.

Key Points:

📅 Researchers discovered a serious security vulnerability on the Lovable platform, which allows easy access to others' sensitive information.

🔧 Lovable initially blamed poor documentation, but their statements kept changing, and the responsibility eventually shifted to HackerOne.

📉 Lovable has fixed the vulnerability and stated that it will improve its security management and user communication.