- Researchers find that 65% of Forbes’ top 50 AI companies are leaking secrets
- These come in the form of tokens, API keys, and sensitive credentials.
- Wiz used a “depth, perimeter and coverage” approach to detect leaks
AI companies have had a pretty rocky history with cybersecurity and data privacy, and new research from Wiz shows this hasn’t gotten better yet.
Looking at the Forbes Top 50 AI companies as a benchmark, experts found that nearly two-thirds (65%) of these top AI companies were leaking verified secrets on GitHub.
These tokens, sensitive credentials, and API keys were found buried deep in places most researchers and scanners would never find, such as removed forks, developer repositories, and gist.
No response
Wiz says it used a “depth, perimeter, and coverage” framework to approach these GitHub repositories, allowing them to access and search new sources, to go beyond the “secrets on the surface” for deep scanning that uncovers more than traditional searches.
The “perimeter” aspect of their research involved extending discovery to contributors and members of the organization, who can often “inadvertently check out company-related secrets in their own public repositories and essences.”
The coverage relates to new types of secrets that traditional scanners often miss, such as Tavily, Langchain, Cohere or Pinecone.
Interestingly, when researchers disclosed these leaks to targets, almost half of these notifications did not reach them, they did not receive a response due to the lack of an official notification channel, or the company did not respond or resolve the issue.
Researchers recommend implementing secret scanning immediately as a non-negotiable defense, regardless of the size of your organization.
They also recommend prioritizing detection of your own types of secrets; ‘Too many stores leak their own API keys while “eating their dog food.” If your secret format is new, proactively engage vendors and the open source community to add support.’
Finally, they advise that companies prepare a channel dedicated to disclosure. Disclosure protocol is an essential security measure that can give your company an advantage over any vulnerabilities or leaks, so these channels can be a vital source for sharing information.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
The best identity theft protection for every budget
