Exposed Hugging Face API Tokens Offered Full Access To Meta's Llama 2 (theregister.com) 11
The API tokens of tech giants Meta, Microsoft, Google, VMware, and more have been found exposed on Hugging Face, opening them up to potential supply chain attacks. From a report: Researchers at Lasso Security found more than 1,500 exposed API tokens on the open source data science and machine learning platform -- which allowed them to gain access to 723 organizations' accounts. In the vast majority of cases (655), the exposed tokens had write permissions granting the ability to modify files in account repositories. A total of 77 organizations were exposed in this way, including Meta, EleutherAI, and BigScience Workshop - which run the Llama, Pythia, and Bloom projects respectively.
The three companies were contacted by The Register for comment but Meta and BigScience Workshop did not not respond at the time of publication, although all of them closed the holes shortly after being notified. Hugging Face is akin to GitHub for AI enthusiasts and hosts a plethora of major projects. More than 250,000 datasets are stored there and more than 500,000 AI models are too. The researchers say that if attackers had exploited the exposed API tokens, it could have led to them swiping data, poisoning training data, or stealing models altogether, impacting more than 1 million users.
The three companies were contacted by The Register for comment but Meta and BigScience Workshop did not not respond at the time of publication, although all of them closed the holes shortly after being notified. Hugging Face is akin to GitHub for AI enthusiasts and hosts a plethora of major projects. More than 250,000 datasets are stored there and more than 500,000 AI models are too. The researchers say that if attackers had exploited the exposed API tokens, it could have led to them swiping data, poisoning training data, or stealing models altogether, impacting more than 1 million users.
Obviously (Score:2)
They should've gotten Winamp.
Hugging Face? Llama? (Score:3)
Re: (Score:3)
I think for sure, this is the most confusing Slashdot title in the last decade.
Cloud Computing (Score:3)
And the Cloud rears its ugly head once again.
We already have "Full Access to LLaMA 2" (Score:2)
That said, replacing LLaMA 2 with a different model as a prank could be quite humorous. ;)
For those confused (Score:3)
Hugging Face is akin to GitHub for AI enthusiasts and hosts a plethora of major projects.
Re: (Score:2)
Thanks captain redundant.
Re: (Score:2)
This innovative platform serves as a centralized hub for the exchange of cutting-edge natural language processing (NLP) models, enabling researchers, developers, and data scientists to collaborate seamlessly. With a user-friendly interface and a vibrant community, Hugging Face has become a go-to resource for those seeking state-of-the-art models, datasets, and tools in the field of artificial intelligence.
What? (Score:2)
This headline and its summary are probably the biggest load of gibberish I've ever seen on /.
Re: (Score:2)
The Register is famous for its creative titles
Re: (Score:2)
Only if you're not involved in the AI community; it reads perfectly normally if you're used to Hugging Face.