zlacker

[return to "11% of vibe-coded apps are leaking Supabase keys"]
1. xyborg+1[view] [source] 2026-01-17 21:30:50
>>xyborg+(OP)
Something remarkable happened in 2024-2025: building a full-stack app became easy. Tools like Supabase, combined with AI coding assistants and no-code builders, let solo founders ship production apps in days, not months.

But speed comes at a cost. As we started using SupaExplorer to audit projects, we noticed a pattern: many apps were misconfiguring their Supabase setup. The anon key in client-side code is fine; it's designed to be public. But we found apps exposing the service_role key (which bypasses RLS), or using the anon key with tables that had no RLS policies at all.

We decided to quantify the problem. Over the past month, we collected launch URLs from five major indie product directories and systematically scanned each one.

- 20,052 URLs Scanned - 2,217 Domains Exposed - 11.04% Exposure Rate - 2,325 Critical Exposures

What's Being Leaked

Not all exposures are equal. Finding a Supabase project URL and anon key in client code is expected, as both are designed to be public. The anon key provides low-privilege access that respects your Row Level Security policies.

The danger is when apps expose the service_role key (or the new sb_secret_... format), the elevated-privilege key meant only for server-side use. Of the 2,960 files flagged, we found credentials that could bypass RLS in a significant portion. We also verified which exposed databases had tables without RLS protection.

I would love to hear your thoughts on this, and how can we generating awareness about this topic.

◧◩
2. kiwico+kI3[view] [source] 2026-01-19 09:04:10
>>xyborg+1
(Supabase CEO)

> The danger is when apps expose the service_role key (or the new sb_secret_... format)

Fwiw, the new secret keys are automatically revoked if they are pushed to github, and github is progressively rolling out push protection - to prevent them getting pushed in the first place. Of course, not everyone uses github

People disabling RLS, or making RLS a simple pass-through, is a battle we are constantly fighting. We have made good strides here over the past 12 months:

https://supabase.com/blog/supabase-security-2025-retro

- event triggers to enforce RLS on all tables

- lints to scan for insecure rules

- ai to write secure policies (if they are too lazy or confused to do it themselves)

- big red labels when a table is exposed

- weekly emails with security alerts

- dashboard alerts and security advisors

- contractually requiring Vibe coding platforms to expose our Security Advisors if they are integrating with us

- red teaming customers that have egregious issues (this has been surprisingly effective, just harder to scale up)

I appreciate you creating this tool - as you can see we are also “tooling up” as much as we can. If there are any other things that you think we are missing let me know and we will prioritize it

We will be introducing new AuthZ patterns this year so I’m hoping that will also help

[go to top]