App building generative artificial intelligence platform Lovable was significantly more vulnerable to being jailbroken to facilitate phishing campaigns, compared with Anthropic's Claude and OpenAI's ChatGPT large language models, having scored the lowest on VibeScamming tests, according to The Hacker News.
After being given a series of malicious prompts, beginning with attack cycle automation, Lovable was able to generate a seemingly legitimate Microsoft log-in page automatically deployed on a subdomain-hosted URL, which redirects to office[.]com following the compromise of credentials, a report from Guardio Labs showed. Both Lovable and Claude were also discovered to have enabled credential exfiltration to Firebase and other external channels without being detected by security systems. "As a purpose-built tool for creating and deploying web apps, [Lovable's] capabilities line up perfectly with every scammer's wishlist. From pixel-perfect scam pages to live hosting, evasion techniques, and even admin dashboards to track stolen data Lovable didn't just participate, it performed. No guardrails, no hesitation," said Guardio Labs researcher Nati Tal.
