Lovable Fixes API Flaw That Let Free Users View Others’ Chat Histories

Modern AI platforms face scrutiny over data privacy and access controls. AI development platform Lovable recently addressed a significant security vulnerability that permitted unauthorized viewing of user chat histories and project data. This incident highlights ongoing challenges in securing complex application programming interfaces (APIs).

A security researcher identified a Broken Object Level Authorization (BOLA) flaw within Lovable's API structure. This vulnerability occurs when an application fails to properly validate whether a user has permission to access a specific resource. The researcher demonstrated that accessing other users' data required only a few API requests, not a sophisticated attack. This allowed free users to view sensitive information like chat histories, source code, and login credentials from other projects.

Initially, the vulnerability was reportedly submitted via a bug bounty platform but was not escalated, with some data visibility deemed "intended behavior" related to public project settings. However, renewed attention to the issue prompted a closer look. Lovable stated there was no data breach. The company later clarified that the distinction between public and private projects led to user confusion regarding data accessibility. Lovable confirmed the vulnerability is now fixed, and chat data is no longer accessible to others. The company also noted users always had the option to set projects to private, although this option was not universally available in the past.

This incident underscores the critical importance of rigorous authorization checks on all API endpoints, especially for platforms handling sensitive data for corporate clients like Uber and Deutsche Telekom. Organizations relying on such platforms must understand underlying data visibility settings and ensure they align with security policies. Developers must implement robust access control mechanisms to prevent BOLA vulnerabilities. Regular security audits and penetration testing are crucial for identifying such flaws before they are exploited. Clear, unambiguous documentation for security features is also paramount.

Moving forward, the industry will watch how AI development platforms enhance their security posture and user communication regarding data privacy, particularly as AI adoption accelerates across enterprises.