Lovable Subdomain Takeover | How we became #1 on Launched
1 min read
Summary
A subdomain takeover vulnerability on Lovable Launched leaderboard has helped an AI chatbot company called Koru climb to the top of the board, even though its standalone domain is a few months old.
The issue arose because of a flaw in the Lovable leaderboard algorithm, which creates links to a external domain which hosts the user’s projects, in this case, the subdomain “koru.lovable.app”.
The problem is that the subdomain is unclaimed and will resolve to any project hosted on it, hence the team at Koru were able to name their project “MLM Binary tree platform” and have it ranked number one on the leaderboard.
This doesn’t necessarily pose a major security issue, however, it could potentially be used for UI redress attacks or phishing.
Lovable fixed the issue soon after it was reported.