Lately, I've been seeing a lot of claims that AI can build web apps without any dev knowledge. But I noticed the security community has the opposite opinion, because those vibe-coded web apps tend to have more bugs than usual ones. I didn't have time to look into this until I got a chance to test one of my friend group's web applications that they developed using Lovable for their startup.

On Lovable, they market their platform (an AI web builder) for founders or entrepreneurs who don't have much knowledge about web development but have a good startup idea (that's how I see it). But the real question is: is it worth using for a startup, and are those apps actually production-ready?

After discussing with my friends, I tested their web app. At first glance, it had a stunning UI, but within a few minutes, I realized finding vulnerabilities was easier than solving HTB medium machines with the help of Claude. There were many authorization issues, and I could easily take over the admin account using XSS for exfiltration. There were also API key leaks in JS files, which should never be exposed to the client. Finding these issues took about half a day, not just because of my skills, but mainly due to how poorly the app was designed. Also, authorization and XSS are not even my main bug classes in bug bounty hunting. It's obvious these could be broken easily by script kiddies using AI like Claude.

None

I think the Lovable team is aware of this problem. Recently, they introduced Akido inside Lovable, which is an AI pentesting feature. Maybe this helps solve the issue. As far as I know, it's a paid feature (around $100 per test). But many people are attracted to Lovable because they can build apps for free, so they're probably not willing to pay $100 for security testing.

Still, adding Akido and testing apps is a good step. Paying/considering for security (Akido or any other service) is ultimately up to the users building the apps. But from Lovable's side, they should make it clear that these apps are not secure by default, instead of promoting it as a magic tool that turns ideas into production-ready web apps.However, Lovable is a great tool for prototyping a service, especially for those without web development experience.