In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-10-14 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > IT Information >
Share
Shulou(Shulou.com)12/24 Report--
CTOnews.com, December 5, the security company Lasso Security recently discovered that there is a vulnerability in API tokens on AI model platform Hugging Face. Hackers can obtain tokens from Microsoft, Google, Meta, and other companies, and can access model libraries, pollute training data, or steal or modify AI models.
CTOnews.com learned from security company reports that because the token information of the platform is written in API, hackers can obtain API tokens (token) of model distributors on the platform directly from Hugging Face and GitHub's repository. Security personnel have found a total of 1681 valid tokens from the above platforms.
After a step-by-step analysis of the data from ▲ graphic source security company Lasso Security, security personnel obtained the accounts of 723 enterprises and organizations, including Meta, Microsoft, Google, VMware and Hugging Face officials. Of these, 655 tokens have write access, 77 of which can be written to multiple organizations, giving researchers full control over the model libraries of well-known companies, such as Pythia's EleutherAI, Meta Llama 2, and Bloom's BigScience Workshop.
Lasso Security Security, a ▲ graphic source security company, warns that as long as hackers successfully control these model bases, they can launch a variety of attacks. Not limited to the most basic theft models and data sets, or pollution models themselves, let existing models "carry private goods", thus endangering applications and public facilities that rely on these basic models.
In addition, the security company found a loophole in an org_api tokens that Hugging Face had previously announced that it had been retired, and security personnel slightly modified the code to "revive" the API, successfully allowing researchers to download a number of undisclosed models on the platform, including Microsoft's proprietary model.
At present, security companies have reported the relevant vulnerabilities, while Microsoft, Meta, Google, VMware and other companies have also revoked the previous API tokens and exposed token.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
The market share of Chrome browser on the desktop has exceeded 70%, and users are complaining about
The world's first 2nm mobile chip: Samsung Exynos 2600 is ready for mass production.According to a r
A US federal judge has ruled that Google can keep its Chrome browser, but it will be prohibited from
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
About us Contact us Product review car news thenatureplanet
More Form oMedia: AutoTimes. Bestcoffee. SL News. Jarebook. Coffee Hunters. Sundaily. Modezone. NNB. Coffee. Game News. FrontStreet. GGAMEN
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
