- Researchers Find 65% of Forbes Top 50 AI Companies Leak Secrets
- These come in the form of tokens, API keys and sensitive credentials
- Wiz used a “Depth, Perimeter and Coverage” approach to detect leaks
AI companies have had quite a checkered history when it comes to cybersecurity and data privacy, and new research from Wiz shows that it still hasn’t improved.
Using Forbes’ ranking of the 50 largest AI companies as a benchmark, experts found that nearly two-thirds (65%) of these top AI companies were disclosing verified secrets on GitHub.
These tokens, sensitive credentials, and API keys were found deep buried in places most researchers and scanners would never encounter, like deleted forks, developer repositories, and gist.
No response
Wiz claims to have used a “Depth, Scope, and Coverage” framework to approach these GitHub repositories, allowing them to access and search new sources, going deeper than “secrets on the surface” for in-depth analysis that reveals more than traditional searches.
The “Scope” aspect of their research involved broadening discovery to contributors and organizational members, who can often “inadvertently check company-related secrets into their own public repositories and critical information.”
The coverage concerns new types of secrets often missed by traditional scanners, like Tavily, Langchain, Cohere or Pinecone.
Interestingly, when researchers disclosed these leaks to targets, almost half of these notifications either failed to reach them, received no response due to lack of an official notification channel, or the company failed to respond or resolve the issue.
Researchers recommend immediately deploying covert scanning as a non-negotiable defense, regardless of the size of your organization.
They also recommend prioritizing the detection of their own types of secrets; “Too many stores are leaking their own API keys by ‘eating their dogfood.'” If your secret format is new, proactively engage vendors and the open source community to add support.
Finally, they advise companies to prepare a dedicated channel for disclosure. The disclosure protocol is an essential security measure that can give your business a head start on any vulnerabilities or leaks. These channels can therefore be a vital source of information sharing.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
The best identity theft protection for every budget
