Is your app vulnerable?
Paste your URL — quick results in 10 seconds, no signup.
The headline number
7% of Lovable and Bolt apps have databases anyone can read. YC-backed companies, scanned as a control group: 0%. The tools share the same backend (Supabase), the same framework (React), the same deployment pipeline. The difference is what the developer knows — and what the AI code generator assumes.
Per-platform CRIT rate
| Platform | Scanned | With CRIT | Rate |
|---|---|---|---|
| YC companies (W21–F25) | 200 | 0 | 0% |
| Lovable | 476 | 34 | 7.1% |
| Bolt.host | 289 | 21 | 7.3% |
| Replit | 194 | 4 | 2.1% |
| Vercel (v0/AI) | 67 | 2 | 3.0% |
| Streamlit | 90 | 0 | 0% |
| Other (Heroku, Render, Fly, Netlify) | 53 | 3 | 5.7% |
Real cases — real people affected
Therapist coaching site — 15 tables exposed
Payment methods, future session schedules, subscriber lists, and email delivery logs for paying therapy clients. Built with Lovable.
Booking platform — 43 tables including customer chat logs
Every customer record, booking request, chat message, and uploaded file. The largest single exposure we found.
Health booking app — patient data via URL manipulation
Change /api/bookings/1 to /api/bookings/2 — returns another patient's name, phone, email, and appointment. No auth check. Built with Replit.
CRM with 22 tables — companies, contacts, customers, partners
An entire business CRM's data readable by anyone with the public anon key. Accounting references, lead sources, manager assignments. Built with Lovable.
College student management — enrollment records exposed
Batch student data, profiles, subjects, and support tickets for an Indian engineering college. Protected under India's DPDP Act.
5 finding categories beyond Supabase RLS
- Supabase RLS off — 96% of all CRITs. Tables with real user data readable by anyone with the public anon key.
- API keys in JS bundles — OpenAI, Anthropic, Google, Stripe keys shipped client-side. 15% of Bolt.host apps. One Replit app shipped Anthropic + OpenAI + Google keys simultaneously.
- IDOR / broken access control — sequential IDs on API endpoints returning other users' data. Health records, booking PII.
- Zero-auth APIs — entire OpenAPI specs with no security schemes. 7–12 public endpoints per app, including destructive operations.
- Private keys + AI hallucinations — PEM-format keys bundled by Webpack/Vite. AI-generated code calling SDK functions that don't exist, giving false security confidence.
Get the full scan on your app
80+ modules: Supabase RLS deep probe, XSS, IDOR, API key detection, Firebase audit, AI code fingerprinting, OWASP compliance report, and more.
Methodology
Targets sourced from certificate transparency logs, Google search, and platform directories. All scans are read-only (GET + minimal POST probes). 80+ scanner modules per target. Every CRIT finding verified reproducible before disclosure. Private disclosures sent to all identifiable owners before publication.
What we scan for
Supabase RLS · Firebase rules · XSS · IDOR · CORS · CSP bypass · Cookie security · GraphQL mutations · WebSocket auth · Open redirect · DNS zone transfer · API key exposure (38 patterns) · JS prototype pollution · Dependency confusion · AI code fingerprinting · LLM hallucination detection · OAuth redirect · JWT weak secrets · Subdomain takeover · Nuclei CVE templates · and more.
Full module-by-module walkthrough →
Detailed write-ups
- Lovable vs Bolt vs Replit: per-platform RLS breakdown →
- Beyond Supabase RLS: 5 other critical vulnerabilities →
- Top 5 Supabase RLS mistakes on Lovable apps →
- Top 5 security issues on Replit apps →
- When your Anthropic key leaks: a case study →
Get the next report
One email when we publish the next batch scan. No marketing.
This report pulls live data from our scanner database. Questions, corrections, or press inquiries: [email protected].