282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study
Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic
Yasna brings together recent headlines from selected sources and makes them easier to sort with tags, filters, and search.
Search across headline titles and summaries.
Weekly headline count for the current query.
Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic
Probably not an isolated incident only as researchers have already found 2,863 live API keys exposed A developer says their company is on the hook for more than $82,000 in unauthorized charges after a stolen Google Gemini API key racked massive usage costs up in just 48 hours.…
New research has found that Google Cloud API keys, typically designated as project identifiers for billing purposes, could be abused to authenticate to sensitive Gemini endpoints and access private data
We’ve all seen this before: a developer deploys a new cloud workload and grants overly broad permissions just to keep the sprint moving. An engineer generates a "temporary" API key for testing and forgets to revoke it. In the past, these were minor operational risks, debts you’d eventually pay down during a slower cycle
Database Misconfiguration Exposed 1.5 million API TokensA misconfigured database at Moltbook, the viral social network for AI agents, exposed 1.5 million API authentication tokens, 35,000 email addresses and private messages. Security researchers discovered unauthenticated read and write access to all platform data within days of launch.
Someone used AI to build an entire Web platform, which then did something predictable and preventable: It exposed all its data through a publicly accessible API.
Leaked non-human identities like API keys and tokens are becoming a major breach driver in cloud environments. Flare shows how exposed machine credentials quietly grant attackers long-term access to enterprise systems. [...]
Leaked API keys are no longer unusual, nor are the breaches that follow. So why are sensitive tokens still being so easily exposed? To find out, Intruder’s research team looked at what traditional vulnerability scanners actually cover and built a new secrets detection method to address gaps in existing approaches. Applying this at scale by scanning 5 million applications revealed over
ChatGPT Maker Probes Third-Party Data Breach; OpenAI API Users' Information ExposedOpenAI has temporarily ceased use of Mixpanel after the analytics firm disclosed a breach affecting profile data of the artificial intelligence giant's API platform users. The company is notifying impacted organizations and watching for signs of data misuse.
OpenAI is notifying some ChatGPT API customers that limited identifying information was exposed following a breach at its third-party analytics provider Mixpanel. [...]
The breach may have exposed OpenAI API customers’ data
SonicWall has formally implicated state-sponsored threat actors as behind the September security breach that led to the unauthorized exposure of firewall configuration backup files
A threat actor targeting exposed Docker APIs has updated its malicious tooling with more dangerous functionality that could lay the foundation for a complex botnet. [...]
Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs
Exposed API documentation is a gift-wrapped roadmap for threat actors. The free Autoswagger tool from Intruder scans for exposed docs and flags endpoints with broken access controls—before attackers find them. [...]
High-Severity Flaw in LangChain's AI Tooling Hub Now PatchedA flaw in the LangSmith platform, an open-source framework that helps developers build LLM-powered applications, can enable hackers to siphon sensitive data, said Noma Security. Dubbed AgentSmith, the flaw can allow attackers to embed malicious proxy configurations into public AI agents.
Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems
Misconfigured Docker API instances have become the target of a new malware campaign that transforms them into a cryptocurrency mining botnet
A vulnerability in Verizon's Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request. [...]
Also: Addressing AI Vulnerabilities and Governance ChallengesDeepSeek, an advanced open-source AI model, is under scrutiny for its safety guardrails failing multiple security tests and a data leak that exposed user information and API keys. Sam Curry, CISO at Zscaler, discusses AI security, risk management and upcoming U.S. policy changes.