in

Hacking Gradio to Steal Secrets from Hugging Face Spaces #FileReadVulnerabilities

Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces

On May 31, the AI company Hugging Face disclosed a potential breach where attackers may have gained unauthorized access to secrets stored in their Spaces platform. This was reminiscent of high severity vulnerabilities disclosed last December affecting their Gradio framework, which could lead to the exfiltration of secrets. Despite Hugging Face patching Gradio in response to the vulnerabilities, old vulnerabilities were still exploitable on the Spaces platform for apps running with outdated Gradio versions.

Gradio is an open-source Python-based web application framework for developing and sharing AI/ML demos. Users can share Gradio apps by hosting them in a Hugging Face Space, self-hosting, or using the Gradio share feature. The vulnerabilities disclosed allowed attackers to read arbitrary files from a server hosting Gradio, including accessing secrets stored in environment variables.

Hugging Face responded promptly to the reported potential breach and implemented measures to harden the Spaces platform. They advised users to upgrade to the latest Gradio version and took steps to prevent exploitation of vulnerabilities that could lead to secret leakage. Users were also recommended to rotate their secrets and tokens, upgrade their Gradio version, and enable authentication for their Gradio Space.

Overall, Hugging Face’s response to the vulnerabilities and breach was commendable, and users were urged to take necessary precautions to protect their data and ensure their systems are up to date.

Source link

Source link: https://securityboulevard.com/2024/06/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/amp/

What do you think?

Leave a Reply

GIPHY App Key not set. Please check settings

From Text to Document Summary: Revolutionizing Document Summarization using Transformer Models | by Amruth Karun | Jun, 2024

Revolutionizing Document Summarization with Transformer Models #innovation

Gmail announces AI technology-based tool

Gmail unveils new AI tool for improved email management #AIEmailAssistant