AI-built SaaS platform (international market, handling real user contracts and payment data)

The Cost of Advertising Security You Don't Have: Audit of an AI-Built SaaS Platform

The Cost of Advertising Security You Don't Have: Audit of an AI-Built SaaS Platform

A SaaS generation platform built with AI assistance marketed itself directly on enterprise-grade security and end-to-end data protection, while handling real user contracts, payment details, and digital signatures. A security audit found four high-severity issues, including a session token architecture that turns any future XSS bug into permanent account takeover.

A SaaS generation platform built with AI assistance marketed itself directly on enterprise-grade security and end-to-end data protection, while handling real user contracts, payment details, and digital signatures. A security audit found four high-severity issues, including a session token architecture that turns any future XSS bug into permanent account takeover.

Stack

Lovable-generated frontend, Supabase backend

Primary finding

Four high-severity findings, including a hardcoded backend key in the frontend bundle and a session/refresh token architecture that enables permanent account takeover following any XSS exposure

Outcome

Findings were compiled and delivered directly to the platform's developer, including the specific gap between the product's public security claims and its actual authentication and session handling.

Background

A SaaS generation platform built almost entirely with AI tooling was identified during routine scanning of newly launched AI built apps. The platform stood out immediately for one reason: its own landing page advertised enterprise grade security and end-to-end data protection as core selling points, while the app itself handled genuinely sensitive user data, contracts, payment information, and digital signatures tied to real business transactions. That combination, a security claim made directly to paying users plus real financial and legal data behind it, made it a priority target for a full audit rather than a quick surface scan.


Scope

The audit covered frontend bundle analysis for hardcoded credentials, backend key exposure, session and token storage, and authentication flow behavior including password reset and rate limiting.


What we found

The backend's anon key was found hardcoded directly in the page's HTML as a named constant, and was actively used as both the API key header and the bearer authorization header on every request the app made. A second backend key, at the higher-privilege service role level, was also referenced by name inside the compiled frontend bundle, a class of exposure with materially higher risk than a standard anon key if it turned out to be live and functional.

Session handling carried the most serious long-term risk. Both the session token and its refresh token were stored together in browser Local Storage. On its own that's a common and containable pattern. Paired with any future cross-site scripting vulnerability anywhere on the site, it stops being containable: an attacker who can run script in a user's browser gets a token that refreshes itself indefinitely, turning a one-time compromise into permanent, self-renewing access to that account.

The password reset flow leaked account existence directly. Submitting an email address that wasn't registered returned an explicit message stating no account was found, meaning the endpoint could be used to enumerate every registered user on the platform without ever attempting a login. None of the tested endpoints enforced meaningful rate limiting, so both the enumeration flaw and any credential-guessing attempt could be run at volume with no friction.


How verification worked

Each finding was confirmed directly against the live application rather than inferred from code review alone. The hardcoded key was confirmed by inspecting live outbound requests and matching the value against the constant visible in the page source. Local Storage contents were inspected directly in an authenticated session to confirm both tokens were present and readable client-side. The enumeration flaw was confirmed by submitting both a known registered email and a fabricated one through the password reset flow and comparing the exact response text. The absence of rate limiting was confirmed by sending repeated requests against the reset and login endpoints and observing no lockout, delay, or blocking behaviour at any point.


Outcome

The full finding set, all four rated high severity, was compiled and delivered to the platform's developer directly, framed around the specific gap between the public-facing security claims and what the authentication and session architecture actually enforced. The session storage issue was flagged as the most consequential long-term risk given the platform's growing base of real transactional users.


Notes for platforms making public security claims

Advertising enterprise-grade security is a statement made to users who are trusting the platform with real financial and legal information, and it should reflect an actual security posture, not just a landing-page line. Hardcoded backend keys and tokens sitting in Local Storage are common outcomes of AI-assisted development, where the fastest working implementation ships without a second pass on where credentials end up or how sessions are meant to expire. Neither issue is difficult to fix once identified. The risk is in shipping the marketing claim before the architecture underneath has actually been tested against it.

Back to case studies