AI platform Hugging Face says hackers have stolen authentication tokens from Spaces

AI News


AI platform Hugging Face has announced that its Spaces platform was breached, allowing hackers to access members' authentication secrets.

Hugging Face Spaces is a repository of AI apps created and submitted by users in the community, allowing other members to demo them.


“Earlier this week, our team detected unauthorized access to the Spaces platform, specifically access related to Spaces Secrets,” Hugging Face warned in a blog post.

“As a result, we suspect that some of Spaces' secrets may have been accessed without authorization.”

Hugging Face said it has already revoked authentication tokens for the compromised confidential information and notified those affected by email.

However, we encourage all Hugging Face Spaces users to update their tokens and switch to fine-grained access tokens, which give organizations more control over who can access their AI models.

The company is working with external cybersecurity experts to investigate the breach and has reported the incident to law enforcement and data protection authorities.

The AI ​​platform said it has stepped up security over the past few days in response to the incident.

“Over the past few days, we have made other significant improvements to the security of our Spaces infrastructure, including permanently removing organizational tokens (improving traceability and auditability), implementing a Key Management Service (KMS) for Spaces secrets, hardening and expanding our system's ability to identify and proactively revoke leaked tokens, and improving general security. We also plan to completely phase out 'legacy' read and write tokens in the near future once fine-grained access tokens reach functional parity. We will continue to investigate any potentially related incidents.”

❖ Hugging face

As Hugging Face has grown in popularity, it has also become a target for threat actors seeking to leverage it for malicious activity.

In February, cybersecurity firm JFrog discovered nearly 100 instances of malicious AI ML models that were used to execute malicious code on victim machines, with one of the models opening a reverse shell, allowing a remote threat actor access to the device running the code.

More recently, a security researcher at Wiz discovered a vulnerability that allowed users to upload custom models and leverage a container escape to access other customers' models across tenants.



Source link

21 thoughts on “AI platform Hugging Face says hackers have stolen authentication tokens from Spaces

  1. I recently found IndoNovelList and it’s amazing for discovering new anime and manga content. The variety of genres from action to romance is impressive. It really helps me keep track of my favorite series easily.

  2. I recently found IndoNovelList and it’s amazing for discovering new anime and manga content. The variety of genres from action to romance is impressive. It really helps me keep track of my favorite series easily.

  3. I recently found IndoNovelList and it’s amazing for discovering new anime and manga content. The variety of genres from action to romance is impressive. It really helps me keep track of my favorite series easily.

Leave a Reply

Your email address will not be published. Required fields are marked *