A recent report from VentureBeat reveals that HuggingFace, a prominent AI leader specializing in pre-trained models and datasets, narrowly escaped a potential devastating cyberattack on its supply chain. The incident underscores existing vulnerabilities in the rapidly expanding field of generative AI.
Lasso Security researchers conducted a security audit on GitHub and HuggingFace repositories, uncovering more than 1,600 compromised API tokens. These tokens, if exploited, could have granted threat actors the ability to launch an attack with full access, allowing them to manipulate widely-used AI models utilized by millions of downstream applications.
The seriousness of the situation was emphasized by the Lasso research team, stating, "With control over an organization boasting millions of downloads, we now possess the capability to manipulate existing models, potentially turning them into malicious entities."
HuggingFace, known for its open-source Transformers library hosting over 500,000 models, has become a high-value target due to its widespread use in natural language processing, computer vision, and other AI tasks. The potential impact of compromising HuggingFace's data and models could extend across various industries implementing AI.
The focus of Lasso's audit centered on API tokens, acting as keys for accessing proprietary models and sensitive data. The researchers identified numerous exposed tokens, some providing write access or full admin privileges over private assets. With control over these tokens, attackers could have compromised or stolen AI models and supporting data.
This discovery aligns with three emerging risk areas outlined in OWASP's new Top 10 list for AI security: supply chain attacks, data poisoning, and model theft. As AI continues to integrate into business and government functions, ensuring security throughout the entire supply chain—from data to models to applications—becomes crucial.
Lasso Security recommends that companies like HuggingFace implement automatic scans for exposed API tokens, enforce access controls, and discourage the use of hardcoded tokens in public repositories. Treating individual tokens as identities and securing them through multifactor authentication and zero-trust principles is also advised.
The incident highlights the necessity for continual monitoring to validate security measures for all users of generative AI. Simply being vigilant may not be sufficient to thwart determined efforts by attackers. Robust authentication and implementing least privilege controls, even at the API token level, are essential precautions for maintaining security in the evolving landscape of AI technology.
