Expected Findings
- Profiles endpoint returns multiple users with no row-level filtering.
- Client bundle includes anon and service-role hints.
- Public storage listing reveals object names and staff docs.
Hosted Backend Clone
Supabase Clone
The dashboard boot script loads an anon config bundle and requests profiles from a PostgREST-style endpoint that returns every row, regardless of user context.
Project console
Primary Flows
- Profiles PostgREST-style query surface
- Public storage Storage bucket listing
- Config bundle Supabase URL and keys
Signals
Client Config
SUPABASE_ANON_KEY = "sb-anon-fake"; SUPABASE_SERVICE_ROLE_HINT = "sr_visible_in_debug"