sagitz_ · TEXXR

/

Navigation

C

Chronicles

Browse all articles

C

E

Explore

Semantic exploration

E

R

Research

Entity momentum

R

N

Nexus

Correlations & relationships

N

~

Story Arc

Topic evolution

S

↻

Drift Map

Semantic trajectory animation

D

P

Posts

Analysis & commentary

P

Browse

@

Entities

Companies, people, products, technologies

◇

Domains

Browse by publication source

☉

Handles

Browse by social media handle

Detection

?

Concept Search

Semantic similarity search

!

High Impact Stories

Top coverage by position

+

Sentiment Analysis

Positive/negative coverage

*

Anomaly Detection

Unusual coverage patterns

Analysis

vs

Rivalry Report

Compare two entities head-to-head

/\

Semantic Pivots

Narrative discontinuities

!!

Crisis Response

Event recovery patterns

Connected

Nav: C E R N

Search: /

Command: ⌘K

Embeddings: large

2024-04-07

We were wondering: What would happen if we uploaded a malicious (pickle) model to Hugging Face and interacted with it using Inference API? Would our code be executed? Would our model share the same infrastructure as other Hugging Face users? 🤔

2024-04-07 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

We uploaded a backdoored AI model to @HuggingFace which we could use to potentially access other customers' data✨ Here is how we did it - and collaborated with Hugging Face to fix it 🧵⬇️ [image]

2024-04-07 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

After establishing a foothold inside HF's infrastructure, we quickly noticed that we were running inside a Kubernetes pod hosted on AWS. A couple of EKS tricks later, we were able to escalate our privileges in the cluster and potentially take over the service💥 [image]

2024-04-07 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

AI Models can come in different formats, based on the framework they were developed in. Some formats are safe, while others (like Pickle) allow Remote Code Execution as a feature! [image]

2024-04-07 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

We took a legitimate model (gpt2) and modified it to execute shell commands when encountering the word ‘Backdoor’ in the prompt. [image]

2024-04-07 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

Kudos to @HuggingFace security and infrastructure team who fixed these issues in record time, and implemented additional security measures to prevent this from happening in the future🤗🙌

2024-04-07 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

Hugging Face, one of the best-known AI-as-a-Service providers, conveniently lets users interact with the AI models hosted on their platform using their own inference infrastructure. This feature is called Inference API. [image]

2024-04-07 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

2024-04-06

We uploaded a backdoored AI model to @HuggingFace which we could use to potentially access other customers' data✨ Here is how we did it - and collaborated with Hugging Face to fix it 🧵⬇️ [image]

2024-04-06 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

After establishing a foothold inside HF's infrastructure, we quickly noticed that we were running inside a Kubernetes pod hosted on AWS. A couple of EKS tricks later, we were able to escalate our privileges in the cluster and potentially take over the service💥 [image]

2024-04-06 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

Kudos to @HuggingFace security and infrastructure team who fixed these issues in record time, and implemented additional security measures to prevent this from happening in the future🤗🙌

2024-04-06 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

Hugging Face, one of the best-known AI-as-a-Service providers, conveniently lets users interact with the AI models hosted on their platform using their own inference infrastructure. This feature is called Inference API. [image]

2024-04-06 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

AI Models can come in different formats, based on the framework they were developed in. Some formats are safe, while others (like Pickle) allow Remote Code Execution as a feature! [image]

2024-04-06 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

We took a legitimate model (gpt2) and modified it to execute shell commands when encountering the word ‘Backdoor’ in the prompt. [image]

2024-04-06 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

We were wondering: What would happen if we uploaded a malicious (pickle) model to Hugging Face and interacted with it using Inference API? Would our code be executed? Would our model share the same infrastructure as other Hugging Face users? 🤔

2024-04-06 View on X

Infosecurity

Wiz details two now-fixed security issues on the Hugging Face AI platform that put customer data at risk, as Hugging Face partners with Wiz to improve security

Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, the leading hub for sharing AI models and applications.

View original

2023-07-28

What's the difference? Each of us was running on a different kernel version. Apparently, Ubuntu made changes to OverlayFS a while back. In certain kernel versions, file capabilities are copied as-is, and in some, they are correctly converted relative to the current user namespace [image]

2023-07-28 View on X

BleepingComputer

Wiz researchers say two vulnerabilities in the OverlayFS filesystem module in Ubuntu may allow unprivileged local users to gain elevated privileges

Two Linux vulnerabilities introduced recently into the Ubuntu kernel create the potential for unprivileged local users to gain elevated privileges on a massive number of devices.

View original

Our journey started when our team at @wiz_io read the advisory about CVE-2023-0386, a local privilege escalation in the Linux kernel. The vulnerability exploited OverlayFS to copy SUID files from a nosuid mount to outside directories, enabling privilege escalation to root. [image]

2023-07-28 View on X

BleepingComputer

Wiz researchers say two vulnerabilities in the OverlayFS filesystem module in Ubuntu may allow unprivileged local users to gain elevated privileges

Two Linux vulnerabilities introduced recently into the Ubuntu kernel create the potential for unprivileged local users to gain elevated privileges on a massive number of devices.

View original