This is an illustrative scenario. Names, details, and quotes are fictional.
How An Online Course Platform secured their course platform
Three-person team found an exposed admin panel in their Lovable + Supabase course platform
The challenge
A three-person team built an online course platform with Lovable and Supabase that hosted courses for 30 independent creators. The platform handled student enrollments, video hosting, payment processing, and creator payouts. A creator reported that their paid course content was accessible without a subscription. The team suspected more issues but had no security testing experience and needed answers fast before creators lost trust.
Vulnerabilities discovered
VibeEval found 18 security issues across this course platform application.
Admin Panel Publicly Accessible
Course Paywall Bypass
Cross-Site Scripting in Discussion Forums
Insecure Direct Object Reference on Grades
Missing Role-Based Access Control
Broken Authentication on Mobile API
Creator Payout Data Exposure
Missing Input Sanitization
Insecure File Storage Permissions
Missing HTTPS Enforcement
Weak Session Management
Debug Endpoints in Production
The solution
VibeEval discovered that the admin panel was accessible without authentication due to a misconfigured Supabase RLS policy, and that paid course videos could be accessed by directly hitting the Supabase storage URL without a valid subscription. The team fixed all critical issues in 10 days, locked down the Supabase policies, and deployed continuous scanning.
"Our creators' paid content was accessible for free and the admin panel was wide open. VibeEval found both in the first scan. We fixed them the same day and now scan every commit."
Frequently asked questions
How was the admin panel publicly accessible?
The Supabase RLS policies for admin functions were not properly configured. The frontend checked for admin roles, but the Supabase API endpoints had no row-level security, meaning anyone with the endpoint URL could access admin features directly.
How did the course paywall bypass work?
Paid course videos were stored in Supabase Storage with public bucket permissions. The video URLs followed a predictable pattern using the course ID, so anyone could access paid content by constructing the URL directly.
How did fixing these issues help creator retention?
The team shared the VibeEval scan report with creators showing the issues were found and fixed. Transparency about the security improvements actually strengthened creator trust in the platform.
What does continuous scanning look like?
Every commit triggers a VibeEval scan that completes in minutes. New vulnerabilities are reported to the team via Slack and block the merge if they are critical or high severity.
Get similar results for your application
Start scanning your application for vulnerabilities today. Free trial available.