Unveiling the Alarming Security Flaws in 1 Million Exposed AI Services
The rapid integration of artificial intelligence (AI) into business operations has been hailed as a transformative force, promising enhanced efficiency and innovation. However, this swift adoption has inadvertently sidelined critical security protocols, leading to significant vulnerabilities within AI infrastructures.
In response to the escalating concerns surrounding AI security, particularly following the ClawdBot incident—a self-hosted AI assistant notorious for averaging 2.6 Common Vulnerabilities and Exposures (CVEs) daily—the Intruder team embarked on a comprehensive investigation to assess the security landscape of AI services.
Scope of the Investigation
Utilizing certificate transparency logs, the team identified over 2 million hosts, encompassing 1 million exposed services. The findings were alarming: AI infrastructures exhibited higher levels of vulnerability, exposure, and misconfiguration than any other software previously analyzed.
Key Findings
1. Absence of Default Authentication
A prevalent issue was the deployment of AI services without authentication mechanisms. Many projects lacked default authentication settings, leaving user data and company tools accessible to unauthorized individuals. This oversight poses risks ranging from reputational damage to complete system compromise.
2. Unprotected Chatbots
Several chatbots were found exposing user conversations. For instance, an OpenUI-based chatbot revealed entire LLM conversation histories. While seemingly innocuous, such exposures in enterprise settings can divulge sensitive information. More concerning were generic chatbots hosting various models, including multimodal LLMs, available for unrestricted use. Malicious actors could exploit these to bypass safety measures, generating illicit content or seeking advice for criminal activities without accountability, as they operate on external infrastructures. Additionally, certain chatbots disclosed large volumes of personal, non-safe-for-work conversations, with some even exposing API keys in plaintext.
3. Exposed Agent Management Platforms
Instances of agent management platforms like n8n and Flowise were discovered without authentication, exposing entire business logic of LLM chatbot services. In one case, a Flowise instance revealed its credential list. Although the stored values were concealed from unauthenticated visitors, attackers could still leverage connected tools to extract sensitive information. The lack of proper access management controls in AI tools means that access to a bot integrated with third-party systems could grant access to all connected resources. Some setups also exposed internet parsing tools and local functions, such as file writing and code interpretation, making server-side code execution a tangible threat. Over 90 exposed instances were identified across sectors like government, marketing, and finance, leaving chatbots, workflows, prompts, and external access points vulnerable. Attackers could modify workflows, redirect traffic, expose user data, or manipulate responses.
4. Unsecured Ollama APIs
A significant number of Ollama APIs were accessible without authentication, with connected models. Upon sending a simple prompt (Hello) to these servers, 31% responded without requiring authentication. The responses provided insights into the APIs’ uses, including health and wellbeing assistance, cloud management tasks, and more. While Ollama doesn’t store messages directly, many instances wrapped paid frontier models from companies like Anthropic, Deepseek, Moonshot, Google, and OpenAI. Of all identified models across servers, 518 were associated with well-known frontier models.
Inherent Insecurity in Design
Further analysis revealed recurring insecure patterns:
– Poor Deployment Practices: Insecure defaults, misconfigured Docker setups, hardcoded credentials, and applications running with root privileges.
– Lack of Authentication on Fresh Installs: Many projects provided users with high-privilege accounts with full management access upon installation.
– Hardcoded and Static Credentials: Credentials embedded in setup examples and docker-compose files instead of being generated during installation.
– Emerging Technical Vulnerabilities: Within days of lab work, arbitrary code execution was discovered in a popular AI project.
These misconfigurations are exacerbated when agents have access to tools like code interpretation. The potential damage increases when sandboxing is weak, and the infrastructure isn’t isolated in a demilitarized zone (DMZ).
The Trade-off Between Speed and Security
The drive to rapidly deploy AI solutions has led to the neglect of established security best practices. While vendors play a role, the primary driver is the pressure to outpace competitors in AI adoption.
Conclusion
The investigation underscores the critical need for organizations to prioritize security in their AI deployments. Proactive measures, such as regular security assessments and adherence to best practices, are essential to mitigate the risks associated with exposed AI infrastructures.
