December 4, 2023 at 09:06AM
Lasso Security researchers found over 1,500 API tokens, including those of Meta and Google, exposed on Hugging Face, risking supply chain attacks and allowing access to 723 organizations. Exposed tokens with write permissions could alter files, steal private models, or poison data, affecting over a million users. All affected parties were notified and secured the breaches.
Meeting Takeaways:
1. **Massive Exposure of API Tokens**: Lasso Security discovered over 1,500 exposed API tokens on Hugging Face. This exposure compromised access to 723 organizations’ accounts, including tech giants and notable AI research groups.
2. **Permissions and Organizations Affected**: The majority of the tokens (655 out of 1,500) had write permissions, which means they could modify files within the repositories. 77 organizations were vulnerable, including notable names like Meta, EleutherAI, and BigScience Workshop, associated with AI projects such as Llama, Pythia, and Bloom.
3. **Response to Discovery**: The organizations affected, including Meta, did not respond to comments when contacted by The Register but had resolved the security issues not long after being notified.
4. **Potential Threats and Exploitation Scenarios**: Researchers indicated that the exploitation of these API tokens could have severe consequences, such as data theft, training data poisoning, or complete model theft. This would have put over a million Hugging Face users at risk. The researchers were also able to modify datasets and potentially could have tampered with thousands of private models.
5. **Hypothetical Impact Examples**: Illustrative scenarios were provided, such as the possibility of Google’s anti-spam filters being compromised, or dataset manipulation that could misclassify network traffic, leading to performance issues.
6. **Severity of the Breach**: Lasso Security highlighted the seriousness of the breach, emphasizing they attained complete access to the high-profile organizations’ models, which could have allowed them to distribute corrupted AI models to vast numbers of users.
7. **Lasso Security’s Actions and Findings**: The team presented how they discovered the tokens through searches and validated them using the whoami Hugging Face API. They also identified a deprecated but still vulnerable API (org_api) that could read private models, including from major organizations like Microsoft.
8. **Preventative Measures**: Hugging Face, like GitHub, has a tool to alert users of exposed API tokens. Additionally, GitHub offers a Secret Scanning feature that is free for all users to help prevent such leaks.
9. **Resolution**: Affected organizations were informed by Lasso Security. Major companies like Meta, Google, Microsoft, and VMware acted promptly by revoking the vulnerable API tokens and addressing the exposed code in their repositories.