Leading AI companies keep leaking their own information on GitHub
- Researchers find 65% of the Forbes top 50 AI companies are leaking secrets
- These come in the form of tokens, API keys, and sensitive credentials
- Wiz used a ‘‘Depth, Perimeter, and Coverage’ approach to spot leaks
AI companies have had a pretty rocky history with cybersecurity and data privacy, and new research from Wiz shows this still hasn’t improved.
Looking at the Forbes top 50 leading AI companies as a benchmark, the experts uncovered nearly two-thirds (65%) of these top AI firms were leaking verified secrets on GitHub.
These tokens, sensitive credentials, and API keys were found buried deep in places most researchers and scanners would never encounter, like deleted forks, developer repos, and gists.
No reply
Wiz says it used a ‘Depth, Perimeter, and Coverage’ framework to approach these GitHub repositories, enabling them to access and search for new sources, to go further than the ‘secrets on the surface’ for a deep scan that uncovers more than traditional searches.
The ‘Perimeter’ aspect of their research entailed expanding discovery to contributors and organiztion members, who can often ‘inadvertently check company-related secrets into their own public repositories and gists.’
Coverage relates to new secret types often missed by traditional scanners, like Tavily, Langchain, Cohere, or Pinecone.
Interestingly, when the researchers disclosed these leaks to the targets, almost half of these notifications either failed to reach them, received no response due to a lack of official notification channel, or the company failed to reply or solve the issue.
The researchers recommend deploying secret scanning immediately as a non-negotiable defense – no matter what size your organization is.
They also recommend prioritizing detection for their own secret types; ‘ too many shops leak their own API keys while “eating their dogfood.” If your secret format is new, proactively engage vendors and the open source community to add support.’
Finally, they advise that companies prepare a dedicated channel for disclosure. Disclosure protocol is an essential security measure that can give your company a head-start on any vulnerabilities or leaks, so these channels can be a vital information sharing source.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
The best ID theft protection for all budgets
Researchers find 65% of the Forbes top 50 AI companies are leaking secrets These come in the form of tokens, API keys, and sensitive credentials Wiz used a ‘‘Depth, Perimeter, and Coverage’ approach to spot leaks AI companies have had a pretty rocky history with cybersecurity and data privacy, and…
