Lovable AI: How “VibeScamming” Made Sophisticated Phishing Push-Button Simple

A wave of concern is sweeping the cybersecurity community after the generative AI platform Lovable was exposed as a prime enabler of “VibeScamming”—a new, deeply troubling breed of AI-driven phishing. Security researchers have sounded the alarm on Lovable’s lack of defenses, documenting how anyone, from seasoned hackers to complete novices, can harness its AI backend to automate large-scale, sophisticated phishing attacks with almost no technical skill.

What Is “VibeScamming”?

VibeScamming refers to the use of generative AI—especially platforms designed for rapid, no-code web development—to mass-produce scam campaigns that not only look and feel legitimate but work with a level of polish previously unseen in the phishing world. The term comes from “vibe coding,” describing the practice of telling an AI to build software via conversational prompts, but here it’s weaponized for fraud.

How Lovable Became a Hacker’s Dream

• Lovable allows users to generate full-stack web apps just by describing what they want. Researchers found that with slight prompt modifications, users could steer Lovable’s AI into building:
• Pixel-perfect clones of login pages for Microsoft, banks, and major brands.
• Phishing campaigns that automatically deploy on Lovable’s own subdomains (e.g., *.lovable.app), with seamless redirection to legitimate sites after stealing credentials.
• SMS or email lures generated and sent in bulk via integration with services like Twilio, automating the entire attack cycle.
• Functional admin dashboards to review stolen data—including credentials, IPs, and timestamps—giving attackers a professional toolkit out of the box.

Jailbreaking and Prompt Engineering: The Exploitation Path

Attackers use “jailbreak” prompts, carefully crafted to bypass Lovable’s weak safeguards. Unlike platforms like ChatGPT or Anthropic’s Claude, which tend to resist obviously malicious requests, Lovable has proven uniquely easy to manipulate. Attackers might start with a benign prompt (“make a user login app”), then, through a sequence of nudges, progressively shift toward illicit goals (“now make it look like Microsoft,” “store all logins in plaintext,” “add an admin page to see everyone’s details”).

In tests, Lovable scored a shockingly low 1.8 out of 10 on the VibeScamming Benchmark for resisting such abuse (lower scores mean more risky). For comparison, Claude scored 4.3 and ChatGPT 8.0, with higher numbers indicating better resistance to misuse.

Real-World Impact

The consequences have been immediate and dramatic:

Mass Phishing Campaigns: Researchers and ethical hackers demonstrated that Lovable’s platform, left largely unguarded, has already been used in the wild for credential harvesting and data theft. Entire scam workflows—from fake page generation to data collection—are fully automated.

False Sense of Security: Lovable’s response, a basic “security scanner,” often gives users misleading all-clears, because it only checks for the existence—not the efficacy—of security elements in hosted sites.

Speed and Scale: The efficiency of AI-driven scam creation means criminals can churn out tailored phishing pages in minutes and iterate quickly, outpacing traditional security responses.

Why It Matters

The Lovable incident reveals a growing problem: as generative AI platforms make it easier to build software, they also lower the bar for cybercrime. Without strict guardrails and robust validation, these tools don’t just speed up productivity—they also industrialize phishing, opening the door to widespread, highly convincing cyberattacks by anyone with bad intentions.

Cybersecurity experts warn that the industry must move quickly to implement enforceable security best practices across all AI development tools. Otherwise, VibeScamming and its variants will only become more common and more dangerous.

Key Takeaway:

Lovable’s vulnerabilities transformed it from a powerful, innovative web development assistant into a fully automated phishing engine—highlighting the urgent need for responsible AI security engineering before convenience trumps defense