Tag: open | Page 4

ChatGPT Hallucinations Open Developers to Supply-Chain Malware Attacks

June 6, 2023/in Computer Security

Attackers can exploit ChatGPT’s penchant for returning false information to spread malicious code packages, researchers have found. This poses a significant risk for the software supply chain, as it can allow malicious code and trojans to slide into legitimate applications and code repositories like npm, PyPI, GitHub and others.

By leveraging so-called “AI package hallucinations,” threat actors can create ChatGPT-recommended, yet malicious, code packages that a developer could inadvertently download when using the chatbot, building them into software that then is used widely, researchers from Vulcan Cyber’s Voyager18 research team revealed in a blog post published today.

In artificial intelligence, a hallucination is a plausible response by the AI that’s insufficient, biased, or flat-out not true. They arise because ChatGPT (and other large language models or LLMs that are the basis for generative AI platforms) answer questions posed to them based on the sources, links, blogs, and statistics available to them in the vast expanse of the Internet, which are not always the most solid training data.

Due to this extensive training and exposure to vast amounts of textual data, LLMs like ChatGPT can generate “plausible but fictional information, extrapolating beyond their training and potentially producing responses that seem plausible but are not necessarily accurate,” lead researcher Bar Lanyado of Voyager18 wrote in the blog post, also telling Dark Reading, “it’s a phenomenon that’s been observed before and seems to be a result of the way large language models work.”

He explained in the post that in the developer world, AIs also will also generate questionable fixes to CVEs and offer links to coding libraries that don’t exist — and the latter presents an opportunity for exploitation. In that attack scenario, attackers might ask ChatGPT for coding help for common tasks; and ChatGPT might offer a recommendation for an unpublished or non-existent package. Attackers can then publish their own malicious version of the suggested package, the researchers said, and wait for ChatGPT to give legitimate developers the same recommendation for it.

How to Exploit an…

Source…

Google: Malware Infected Streaming Devices Are Built on Android Open Source Project, Not Android TV

May 28, 2023/in Computer Security

Google said Android-branded streaming devices sold through popular e-tail channels including Amazon, and loaded with adware out of the box are powered by Android Open Source Project software and not Android TV.

“We have recently received questions regarding TV boxes that are built with Android Open Source Project and are being marketed to appear as Android TV OS devices,” Google said in a blog posted late last week.

“Some of them may also come with Google apps and the Play Store that are not licensed by Google, which means that these devices are not Play Protect certified,” Google added. “To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”

The devices in question, marketed under brand names like T95Max, RockChip X12 Plus and RockChip X88 Pro 10, are based on system-on-a-chip hardware from AllWinner and RockChip.

On Amazon, the T95 is listed as a “Android 10.0 TV Box. Nowhere is a distinction made between “Android Open Source Project” and “Android TV.”

Ontario, Canada-based IT pro Daniel Milisic published last year on GitHub his experience with a T95, which has a four-star rating on Amazon amid 744 reviews.

Milisic said the device began connecting out of the box with a botnet network of thousands of other infected Android TV gadgets around the world. The device, he said, immediately sought out a command and control server, which downloaded additional malware to his gadget.

The malware enabled the T95 to begin conducting ad-click fraud, clicking on ads in the background.

In his GitHub post, Milisic published the script he used to “defang” what he described as a “no good, awful, nasty little ARM-powered TV/hobby box.”

Milisic’s findings were confirmed by Electronic Frontiers Foundation security researcher Bill Budington in this…

Source…

Welcome to open source, Elon. Your Twitter code just got a CVE for shadow ban bug • The Register

April 8, 2023/in Internet Security

The chunk of internal source code Twitter released the other week contains a “shadow ban” vulnerability serious enough to earn its own CVE, as it can be exploited to bury someone’s account of sight “without recourse.”

The issue was discovered by Federico Andres Lois while reviewing the tweet recommendation engine that’s said to power Twitter’s For You timeline. This system was made public by Twitter on March 31, adding to the libraries of open source software it already released over years, long before Elon Musk took over.

That recommendation engine, we’d like to quickly note, seems more of a curiosity than anything else: while it shows what kinds of tweets and engagement are deemed important or harmful to Twitter, we’re not sure there’s enough there to do anything terribly practical with it, in terms of building your own social network or offering to improve Elon’s. It’s more marketing sauce than open source.

According to Lois’s study of the engine bug he found, coordinated efforts to unfollow, mute, block and/or report a targeted user applies global reputation penalties to the account that are practically impossible to overcome based on how Twitter’s recommendation algorithm treats negative actions.

As a result, Lois said, Twitter’s current recommendation algorithm “allows for coordinated hurting of account reputation without recourse.” Mitre has assigned CVE-2023-23218 to the issue.

Because this bug is in Twitter’s recommendation algorithm, it means that accounts that have been subject to mass blocking are essentially “shadow-banned,” and won’t show up in recommendations despite the user being unaware they’ve been penalized. There seems to be no way to correct that kind of action, and it ideally shouldn’t be possible to game the system in this way, but it is.

Lois pointed to several examples of Twitter users encouraging mass follows and unfollows, blocking and other actions that have disproportionately negative weight on targeted accounts as examples that the behavior is being exploited in the wild. Lois also said apps such as Block Party, which allow Twitter users to mass-filter accounts, are formalized tools that – whether intentional or not – end up having…

Source…

Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors

April 5, 2023/in Computer Security

Texas-based smart home product provider Nexx appears to have ignored repeated attempts to report serious vulnerabilities that can be exploited by hackers to remotely open garage doors, and take control of alarms and smart plugs.

Nexx offers smart alarms, garage door controllers, and smart plugs, all of which can be controlled remotely from a dedicated mobile application.

Researcher Sam Sabetan discovered that these products are affected by serious vulnerabilities in late 2022 and disclosed their details on Tuesday.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory to warn individuals and organizations using Nexx products about the flaws identified by the researcher. The agency said the impacted products are used by commercial facilities worldwide.

Sabetan and CISA said their attempts to report the vulnerabilities to Nexx were ignored. SecurityWeek has also reached out to Nexx for comment.

The researcher has discovered five types of vulnerabilities, most of which have been assigned ‘high’ or ‘critical’ severity ratings. The list of issues includes the use of hardcoded credentials, authorization bypass flaws that can be leveraged to execute unauthorized actions, information disclosure issues, and improper authentication.

In a real world attack scenario, an attacker can exploit these vulnerabilities to open or close garage doors remotely over the internet, hijack any alarm system, and turn on/off smart plugs connected to household appliances.

In order to conduct an attack, the hacker only needs the targeted user’s device ID, email address, name, or MAC address, depending on the type of device they are targeting.

A video demo made by the researcher shows how a hacker can obtain the information of hundreds of users.

“It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted. Furthermore, I determined that more than 20,000 individuals have active Nexx accounts,” Sabetan explained.

Source…

Tag Archive for: open