My Lovable app might be exposing customer data — how do I check?

Updated

10.3% of Lovable apps had RLS-missing BOLA exposure for 48 days. Yours might be next — here's the 15-minute audit.

You read the TheNextWeb article on Lovable's April 2026 BOLA breach. 170 of 1,645 apps. Real names, LinkedIn profiles, Stripe customer IDs reachable via anonymous HTTP. You realize you don't actually know if your Lovable-built app is in the affected cohort. You've never written an RLS policy.

What happens next

  1. If your tables are RLS-disabled

    Anyone with your Supabase URL + anon key (both public by design — they ship in your app's JS bundle) can read every row in every exposed table. Bots find this within hours of going live.

  2. How attackers find you

    Automated tools scrape Lovable export repos on GitHub, search JavaScript bundles on live URLs, enumerate Supabase project IDs. If you went live, they've probed you.

  3. What they exfiltrate

    Customer records, email addresses, Stripe customer IDs, internal notes, anything in the affected tables. Per the disclosure: real names + LinkedIn profiles + Stripe IDs.

  4. What you don't know

    Whether they took it already. Most apps in the affected cohort had no detection of the exfiltration — the requests look identical to legitimate browser traffic.

Without Securie

You manually audit RLS on every Supabase table. You write tenant-scoped policies yourself. You hope you got every table. You probably miss one. Next week Lovable ships a new feature that adds another table; the cycle repeats.

With Securie

Securie's Supabase RLS specialist reads every migration on every PR + sandbox-verifies that cross-tenant reads fail. The AuthAuthz/BOLA specialist catches BOLA-vulnerable browser-to-Supabase REST calls. The secret_scanner flags hardcoded anon_key in the client bundle. All three layers run on every commit Lovable ships to your repo.

Exactly what to do right now

  1. Open Supabase Studio → Authentication → Policies; for every table, confirm RLS is ON
  2. For every table with user data, confirm at least one policy references both auth.uid() AND a tenant claim from the JWT
  3. Enable RLS on any table missing it: see /templates/rls-policy-supabase for the canonical bundle
  4. Add default-deny policies layered under explicit allow policies
  5. Read /incidents/lovable-bola-april-2026 + /safe/is-lovable-safe for the full breach detail + platform assessment
  6. Join the Securie free-scan list at /scan — full audit of your Lovable project in week 1 of early access