Exposed Hugging Face API tokens offered full access to Meta's Llama 2

2023-12-04 14:00

The API tokens of tech giants Meta, Microsoft, Google, VMware, and more have been found exposed on Hugging Face, opening them up to potential supply chain attacks.

Researchers at Lasso Security found more than 1,500 exposed API tokens on the open source data science and machine learning platform - which allowed them to gain access to 723 organizations' accounts.

The exposed API tokens were discovered by researchers conducting a series of substring searches on the platform and manually collecting them.

GitHub has its Secret Scanning feature to prevent leaks like this and is available to all users free of charge, and Hugging Face runs a similar tool that alerts users to exposed API tokens which are hardcoded into projects.

While investigating the exposed secrets on Hugging Face, researchers also found a weakness with its organization API tokens, which had already been announced as deprecated, that could be used for read access to repositories, and billing access to a resource.

"Therefore we decided to investigate it, and indeed the write functionality didn't work, but apparently, even with small changes made for the login function in the library, the read functionality still worked, and we could use tokens that we found to download private models with exposed org api token e.g. Microsoft," says Lanyado in thre blog.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/04/exposed_hugging_face_api_tokens/

#API #token