The viral AI-built social network Moltbook exposed 1.5 million API tokens, tens of thousands of emails and thousands of private messages due to a misconfigured production database. Wiz researchers found an exposed client-side Supabase API key that granted unauthenticated read/write access because AI-generated code omitted Row Level Security, allowing agent impersonation and content manipulation — #Moltbook #Supabase
Keypoints
- A misconfigured Supabase API key in client-side JavaScript allowed unauthenticated read and write access to Moltbook’s production database.
- Wiz discovered roughly 1.5 million API authentication tokens, 35,000 user emails, 29,631 signup emails and 4,060 private message conversations were exposed.
- The platform’s AI-generated “vibe-coded” implementation omitted Row Level Security, and the creator confirmed he did not write any hand-authored code.
- Exposed tokens and plaintext OpenAI API keys enabled full agent impersonation and risked compromise of unrelated third-party services.
- Initial fixes blocked read access to sensitive tables quickly, but write access and other misconfigurations persisted until full remediation on February 1.
Read More: https://thecyberexpress.com/moltbook-platform-exposes-1-5-mn-api-keys/