The author discovered a serious security issue while exploring a website using the rep+ tool, which is designed for security testing. They came across a Supabase JWT embedded in the site's JavaScript, which is typically meant to be public. Using this token, they tested various endpoints to see if Row Level Security (RLS) was properly enforced. Their findings were alarming: the token had read access to a table containing password reset tokens, which could lead to full account takeover. After confirming that the anonymous token could successfully read from the password_reset_tokens table, they noted that there were 272 tokens available. This raised concerns about whether the RLS failure was isolated or indicative of a broader issue. To explore further, the author created a Python script to automate the process of checking read access across all exposed tables. This approach aimed to identify any systemic authorization problems, highlighting the potential severity of the exposure.