Leading AI companies keep leaking their own information on GitHub

News
By published

65% of the top AI firms had leaked tokens and keys

A hand reaching out to touch a futuristic rendering of an AI processor.
(Image credit: Shutterstock / NicoElNino)
  • Researchers find 65% of the Forbes top 50 AI companies are leaking secrets
  • These come in the form of tokens, API keys, and sensitive credentials
  • Wiz used a '‘Depth, Perimeter, and Coverage' approach to spot leaks

AI companies have had a pretty rocky history with cybersecurity and data privacy, and new research from Wiz shows this still hasn’t improved.

Looking at the Forbes top 50 leading AI companies as a benchmark, the experts uncovered nearly two-thirds (65%) of these top AI firms were leaking verified secrets on GitHub.

These tokens, sensitive credentials, and API keys were found buried deep in places most researchers and scanners would never encounter, like deleted forks, developer repos, and gists.

No reply

Wiz says it used a ‘Depth, Perimeter, and Coverage’ framework to approach these GitHub repositories, enabling them to access and search for new sources, to go further than the ‘secrets on the surface’ for a deep scan that uncovers more than traditional searches.

The ‘Perimeter’ aspect of their research entailed expanding discovery to contributors and organiztion members, who can often ‘inadvertently check company-related secrets into their own public repositories and gists.’

Coverage relates to new secret types often missed by traditional scanners, like Tavily, Langchain, Cohere, or Pinecone.

Interestingly, when the researchers disclosed these leaks to the targets, almost half of these notifications either failed to reach them, received no response due to a lack of official notification channel, or the company failed to reply or solve the issue.

The researchers recommend deploying secret scanning immediately as a non-negotiable defense - no matter what size your organization is.

They also recommend prioritizing detection for their own secret types; ‘ too many shops leak their own API keys while "eating their dogfood." If your secret format is new, proactively engage vendors and the open source community to add support.’

Finally, they advise that companies prepare a dedicated channel for disclosure. Disclosure protocol is an essential security measure that can give your company a head-start on any vulnerabilities or leaks, so these channels can be a vital information sharing source.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Best identity theft protection header
The best ID theft protection for all budgets

➡️ Read our full guide to the best identity theft protection
1. Best overall:
Aura
2. Best for families:
IdentityForce
3. Best for credit beginners:
Experian IdentityWorks

TOPICS
Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.