This security research campaign focused on applications built using vibe-coded platforms that integrate Lovable front-ends with Supabase backends via APIs. The researchers identified a structural weakness where sensitive information, such as anonymous JWT tokens used for backend API authentication, is embedded within frontend bundles or source output. This exposure allows attackers to harvest secrets and tokens through lightweight, read-only scans of publicly accessible frontend code, significantly expanding the attack surface. The study uncovered over 2,000 vulnerabilities, including 98 highly critical issues, 400+ exposed secrets (such as API keys and tokens), and 175 instances of PII, including highly sensitive data like bank and medical information. Among the vulnerabilities found were Broken Object Level Authorization (BOLA), which allows unauthorized access to objects, Server-Side Request Forgery (SSRF), enabling attackers to make unauthorized requests from the backend, and zero-click account takeover exploits that do not require user interaction. The vulnerabilities stem from insecure integration patterns and insufficient access controls in the API layer, compounded by the inadvertent exposure of secrets in frontend code. Although no active exploits have been reported in the wild, the volume and criticality of the findings suggest a high risk of exploitation if attackers leverage these weaknesses. The research highlights the importance of securing frontend code, enforcing strict authorization on backend APIs, and managing secrets securely to prevent leakage. This threat is particularly relevant to organizations using Supabase and vibe-coded platforms or similar architectures that expose backend tokens in frontend bundles.

For European organizations, this threat poses significant risks including unauthorized data access, leakage of sensitive personal and financial information, and potential account takeovers. The exposure of secrets and tokens in frontend code can lead to compromised backend APIs, enabling attackers to manipulate or exfiltrate data. The presence of PII such as bank details and medical information raises compliance concerns under GDPR, potentially resulting in regulatory penalties and reputational damage. Exploitation of BOLA and SSRF vulnerabilities can lead to privilege escalation and lateral movement within networks, increasing the scope of compromise. The zero-click account takeover vulnerabilities further exacerbate risks by enabling attackers to compromise accounts without user interaction, complicating detection and response. Disruption of services and loss of data integrity are additional concerns, impacting business continuity. European organizations relying on these platforms must consider the threat critical due to the ease of exploitation and the sensitivity of exposed data.

Organizations should implement targeted scanning tools to detect exposed secrets and tokens within frontend bundles and source code repositories. Enforce strict API authorization policies, ensuring robust object-level access controls to prevent BOLA vulnerabilities. Adopt secure coding practices that avoid embedding sensitive tokens in frontend code; instead, use secure backend token management and short-lived credentials. Implement network-level protections and input validation to mitigate SSRF risks. Conduct thorough audits of third-party integrations and dependencies, particularly those involving Supabase and vibe-coded platforms. Employ secrets management solutions that automate rotation and prevent accidental exposure. Enhance monitoring and anomaly detection to identify unusual API usage patterns indicative of exploitation attempts. Educate developers on secure integration patterns and the risks of exposing backend credentials in frontend code. Finally, prepare incident response plans tailored to address potential data breaches involving PII and secrets exposure.