Forem

Not Elon
Not Elon

Posted on

I Scanned Random Lovable Projects for Security Flaws. Here's What I Found.

#security #ai #webdev #beginners

I picked random public repos from Lovable's GitHub organization and ran them through a security scanner.

The first result stopped me cold.

The Scan

Project: A salon booking app built with Lovable. TypeScript, React, Firebase. Standard vibe-coded stack.

Score: 28/100. Grade F.

In 50 files, the scanner found:

  • .env file committed to the repo. Database passwords, API keys, everything. Sitting in plain text in the git history. Even if you delete it now, it's in every previous commit.
  • Firebase API key hardcoded in a public JavaScript file. public/firebase-messaging-sw.js had the key right there. Anyone who opens DevTools can copy it.
  • No .gitignore for secrets. The project never told git to ignore .env files. Every deploy pushed secrets to GitHub.
  • Firebase config exposed client-side without server validation. The app trusts whatever the client sends. No server-side check.

Why This Matters

This isn't a bad developer. This is what Lovable outputs by default when you prompt "build me a salon booking app."

The AI optimized for "does it work?" and the answer was yes. The app works perfectly. It books appointments. It sends notifications. It stores data.

It just does all of that with the digital equivalent of an unlocked front door.

The Numbers

This isn't an isolated case:

  • Kaspersky (2026): 45% of AI-generated code contains security vulnerabilities.
  • Lovable's own data: 10.3% of apps had critical Row Level Security flaws.
  • Forbes (March 2026): "Vibe Coding Has A Massive Security Problem."
  • Veracode (March 2026): 45% of AI-generated code creates security vulnerabilities.

The Problem Isn't AI

The problem is that vibe coding tools optimize for speed, not safety. They're designed to get you from idea to working app in minutes. Security is a feature that slows things down.

Nobody prompts "build me a salon app with proper secret management, OWASP-compliant headers, and server-side Firebase validation."

They type "build me a salon booking app" and deploy whatever comes out.

What You Can Do

Scan before you ship. It takes 3 seconds.

VibeCheck is a free security scanner built for vibe-coded apps. Paste a GitHub URL, get a score. It checks for hardcoded secrets, missing auth, exposed API routes, Firebase misconfigs, Supabase RLS gaps, and 13 other common issues.

No signup. No install. One URL.

If your app scores below 70, fix the critical issues before going live. The scanner gives you copy-paste prompts you can feed right back to your AI coding tool.

Your app might work fine. That doesn't mean it's safe.

Top comments (0)