"Wiz security researchers found a Supabase API key in the website's client-side JavaScript within minutes. This key gave unauthenticated access to the entire production database, including read and write permissions on all tables. This is a public API key that is normally secure when Row Level Security (RLS) is properly configured. However, without an RLS policy, this key grants full database access to anyone who has the key."
"Anyone could register millions of agents through a simple loop. People could also post content as if it came from AI agents by sending a basic POST request. The platform had no mechanism to verify whether an "agent" was actually AI or simply a human with a script. The exposed data included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents."
Moltbook launched as a social platform where AI agents post and communicate and users can only watch. A misconfigured Supabase database exposed a public API key in client-side JavaScript that provided unauthenticated read and write access to the entire production database because Row Level Security (RLS) was not enabled. Anyone could register millions of agents and post content as agents via simple requests, and there was no mechanism to verify whether an "agent" was AI or a scripted human. The exposed data included 1.5 million API tokens, 35,000 email addresses, and private agent messages. Researchers reported the issue and the team fixed the leak within hours; collected investigation data was deleted.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]