11% of vibe-coded apps are leaking Supabase keys
supaexplorer.comSomething remarkable happened in 2024-2025: building a full-stack app became easy. Tools like Supabase, combined with AI coding assistants and no-code builders, let solo founders ship production apps in days, not months.
But speed comes at a cost. As we started using SupaExplorer to audit projects, we noticed a pattern: many apps were misconfiguring their Supabase setup. The anon key in client-side code is fine; it's designed to be public. But we found apps exposing the service_role key (which bypasses RLS), or using the anon key with tables that had no RLS policies at all.
We decided to quantify the problem. Over the past month, we collected launch URLs from five major indie product directories and systematically scanned each one.
- 20,052 URLs Scanned - 2,217 Domains Exposed - 11.04% Exposure Rate - 2,325 Critical Exposures
What's Being Leaked
Not all exposures are equal. Finding a Supabase project URL and anon key in client code is expected, as both are designed to be public. The anon key provides low-privilege access that respects your Row Level Security policies.
The danger is when apps expose the service_role key (or the new sb_secret_... format), the elevated-privilege key meant only for server-side use. Of the 2,960 files flagged, we found credentials that could bypass RLS in a significant portion. We also verified which exposed databases had tables without RLS protection.
I would love to hear your thoughts on this, and how can we generating awareness about this topic.
A quick reaction is that there's almost 2 different intents that need to be considered here:
- We want to build a business opportunity around auditing.
- We want to reduce the amount of insecure Sugabase apps.
They align somewhat but decisions may vary based on your lens when deciding how much weight to put for watch.
- IANAL, I assume you can or have assesed legal considerations around passive/active/automated scanning of this nature.
- In a direct world you could communitate the fix automatically to the right target for all your finds and track whether they fix the issue (audit periodically at a non spammy/cost inducing frequency)?
- In the general sense I'd try to estimate where I think the error manifests itself to attempt different solutions and find ways to measure those, where am I fixing the problem?
- Is there something in the core tools (I don't really know Supabase) that would make it less likely for a developer following an outdated or malicious tutorial to do the insecure thing?- LLM generated code: benchmark and evals to measure which popular programmatic LLMs recommend the right approach. - Community recommendations: Make your case within the community to modify the appropriate tutorials.Security is always a fun problem to think about once you start thinking about it from an economics lens of rational actors with limited knowledge and varying incentives.
Yes, both statements are true, I am building a business around this, but I do also want to reduce the amount of insecure Supabase applications, and that's why I open sourced, and it's also free, my Chrome Extension. Because that's a quick check, any non-technical person can do.
I am currently in communication with many of the sources I used to harvest those sites, so they can warn them, and I also offered a quick API integration that can plugged in during their submission process, so they can warn users right before they launch their apps on those directories. Another option is to get their contact information, but there is no way I can get into their inboxes without being labeled as SPAM :/
Also, another thing I offer for free on my site, is the possibility of running an automated audit on your project, you just connect to Supabase using oAuth. And get a report of what's missing, from there you can either click the "fix in Cursor" or copy results button, and ask your favourite LLM to fix it, or buy my advanced report with the fixes for 5 bucks. But I do offer a free options though.
About this: "- LLM generated code: benchmark and evals to measure which popular programmatic LLMs recommend the right approach.", check this out https://cset.georgetown.edu/wp-content/uploads/CSET-Cybersec...
And, when it comes to community recommendations, I am doing my best, reaching out to dev influencers, posting regularly on /r/Supabase/ (not spamming, providing real value).
Last but not least, Supabase did added a LOT of new features in their dashboard to warn and prevent users from shipping tools unprotected, but the issue is many of these apps were created using CLI, GUI, or Web tools where the user almost never go to Supabase's dashboard, so they never see those warnings :(
How did you qualify a project as vibe coded?