Can people change the user ID in a URL to log in as another user on my app?

Updated
Short answer

If you built with Lovable, Bolt, or Cursor without explicit authorization checks, probably yes. It's called IDOR and it's the second most common vibe-coded-app bug. Test it yourself: log in, copy a URL with your user ID, change the ID, hit enter. If it loads another user's page, you have the bug.

This bug is called IDOR (Insecure Direct Object Reference) or BOLA (Broken Object-Level Authorization). AI coding tools are particularly prone to it because they generate the happy path — 'fetch this user' — without the authorization check — 'only if it's YOUR user'.

**How to test it in 30 seconds:** 1. Log in to your own app as User A. 2. Go to a page like `/account` or `/orders/123`. 3. Copy the URL. 4. In the URL, change `123` to `124`. 5. If page loads with someone else's data, you have the bug.

**How to fix it.** Every API route that fetches user data needs a check like: ```ts if (order.user_id !== session.user.id) { return Response.json({ error: 'not yours' }, { status: 403 }); } ``` For Supabase specifically, the cleaner fix is RLS on the underlying table — Postgres will refuse to return the row at all if the policy fails.

Securie tests API routes by logging in as two synthetic users and trying to swap IDs between them. Request access at /scan for a plain-English report of which routes leak plus the fix.

People also ask

My users can see other users' data. How do I fix it?
This is the #1 bug in vibe-coded apps — it's called broken access control. In a Supabase app it's almost always a missin
What is Supabase RLS and do I need it?
Row-Level Security (RLS) restricts which database rows each user can read or write. You absolutely need it on every Supa
Is Lovable secure?
Lovable apps are safe to ship with review + scanning. Lovable's own platform has had CVEs (2025-48757, April 2026 re-bre