Real findings.
Zero names.
Every case below is a real production app built with Lovable, bolt.new, Cursor, v0, or Claude Code. None are named. We contact affected owners privately, give them a 14-day private window to patch, and only publish identifying details with consent — or never.
If you think one of these cases is your app, email [email protected]. We will send the full report privately, walk you through the fix, and never publish identifying details without your consent.
No name-and-shame. No press. Just the report and a path to patched.
Eight real apps. Findings redacted.
Public anon key reads 20+ private tables
usersprofileslistings
A single unauthenticated GET to the PostgREST endpoint returned 1000+ rows of listings, contact metadata, and private profile fields. The anon key used is the same one shipped in the public JS bundle.
Any attacker can enumerate every record, scrape contact emails at scale, and probe write endpoints that inherit the same missing RLS policy.
User emails + posts readable with no auth
userspostsprofiles
Unauthenticated reads on the users table returned rows containing email addresses, display names, and auth metadata. The posts table returned the full content feed in a single request.
Every registered user's email is harvestable for phishing. The full content database is one curl away from a competitor, scraper, or dataset broker.
Submissions + uploaded asset URLs exposed
submissionsuploads
The submissions table returned user-submitted entries including contact info and storage URLs for uploaded assets. Storage ACLs did not compensate.
Submitter PII is public. Storage URLs can be walked to clone the entire asset library without ever touching the app UI.
Supabase service_role key shipped in JS bundle
The compiled JavaScript bundle contained a Supabase JWT with role=service_role — the god-mode key that bypasses Row Level Security on every table in the project.
Possession of a service_role key is game over for a Supabase project: full read, write, and delete on every table, every row, every bucket. Immediate key rotation is required, and all prior activity must be audited.
PII across multiple provider tables
providerslocationsprofiles
Three separate RLS-open tables returned real records containing email addresses, phone numbers, and physical street addresses. The PII classifier confirmed the match on every sampled row.
Regulatory exposure under GDPR Art. 32 and US state breach-notification laws. Competitors can scrape the entire directory in minutes.
Member contact data + booking history leak
membersbookingsgroups
Member and booking tables returned rows with email, phone, and reservation history for paying customers of the platform.
Customer PII is enumerable by any visitor. Booking history reveals member activity patterns — a privacy failure even without the direct contact leak.
Six tables world-readable, identities exposed
submissionsuserspage_content
Six separate tables returned data to unauthenticated anon-key requests. Records linked contributor identity to submission timestamps, breaking the pseudonymity the platform advertised.
Contributor anonymity is broken. Anyone can enumerate the full list of people who submitted to the site and correlate it with other public data.
XXE + unauthenticated API routes
The file upload endpoint accepted XML payloads and resolved external entity references, enabling read access to server-side files. Several adjacent API routes had no authentication at all.
Server-side file disclosure, SSRF pivot, and unauthenticated API abuse. The most dangerous single target in the batch — eight CRITICAL findings stacked on one app.
How we work.
The rules
- Scans are read-only. We never write, modify, or delete data.
- We use the same public anon key that's already shipped in the app's JavaScript bundle — not a stolen credential.
- Every finding on this page is reproducible with a single
curlcommand. - Evidence snippets above are redacted. We do not publish real user PII.
- If you own one of these apps and want the full report, email us — we'll send it privately and help you fix it.