AI Vulnerabilities Exposed: Hugging Face API Tokens Compromise Meta's Llama 2
Originally Published 2 years ago — by The Register
Researchers at Lasso Security discovered over 1,500 exposed API tokens on the Hugging Face platform, including tokens from tech giants Meta, Microsoft, Google, VMware, and more. These exposed tokens granted write permissions, allowing potential attackers to modify files in account repositories. The researchers were able to gain access to 723 organizations' accounts, including those of Meta, EleutherAI, and BigScience Workshop. If exploited, these tokens could have led to data theft, poisoning of training data, and stealing of models, impacting over 1 million users. The exposed tokens have since been revoked and the vulnerabilities closed.