Login
An employee at Elon Muskβs artificial intelligence company xAIΒ leaked a private key on GitHub that for the past two months could have allowed anyone to query private xAI large language models (LLMs) which appear to have been custom made for working with internal data from Muskβs companies, including SpaceX, Tesla and Twitter/X, KrebsOnSecurity has learned.
Image: Shutterstock, @sdx15.
Philippe Caturegli, βchief hacking officerβ at the security consultancy Seralys, was the first to publicize the leak of credentials for an x.ai application programming interface (API) exposed in the GitHub code repository of a technical staff member at xAI.
Caturegliβs post on LinkedIn caught the attention of researchers at GitGuardian, a company that specializes in detecting and remediating exposed secrets in public and proprietary environments. GitGuardianβs systems constantly scan GitHub and other code repositories for exposed API keys, and fire off automated alerts to affected users.
GitGuardianβs Eric Fourrier told KrebsOnSecurity the exposed API key had access to several unreleased models of Grok, the AI chatbot developed by xAI. In total, GitGuardian found the key had access to at least 60 fine-tuned and private LLMs.
βThe credentials can be used to access the X.ai API with the identity of the user,β GitGuardian wrote in an email explaining their findings to xAI. βThe associated account not only has access to public Grok models (grok-2-1212, etc) but also to what appears to be unreleased (grok-2.5V), development (research-grok-2p5v-1018), and private models (tweet-rejector, grok-spacex-2024-11-04).β
Fourrier found GitGuardian had alerted the xAI employee about the exposed API key nearly two months ago β on March 2. But as of April 30, when GitGuardian directly alerted xAIβs security team to the exposure, the key was still valid and usable. xAI told GitGuardian to report the matter through its bug bounty program at HackerOne, but just a few hours later the repository containing the API key was removed from GitHub.
βIt looks like some of these internal LLMs were fine-tuned on SpaceX data, and some were fine-tuned with Tesla data,β Fourrier said. βI definitely donβt think a Grok model thatβs fine-tuned on SpaceX data is intended to be exposed publicly.β
xAI did not respond to a request for comment. Nor did the 28-year-old xAI technical staff member whose key was exposed.
Carole Winqwist, chief marketing officer at GitGuardian, said giving potentially hostile users free access to private LLMs is a recipe for disaster.
βIf youβre an attacker and you have direct access to the model and the back end interface for things like Grok, itβs definitely something you can use for further attacking,β she said. βAn attacker could it use for prompt injection, to tweak the (LLM) model to serve their purposes, or try to implant code into the supply chain.β
The inadvertent exposure of internal LLMs for xAI comes as Muskβs so-called Department of Government Efficiency (DOGE) has been feeding sensitive government records into artificial intelligence tools. In February, The Washington Post reported DOGE officials were feeding data from across the Education Department into AI tools to probe the agencyβs programs and spending.
The Post said DOGE plans to replicate this process across many departments and agencies, accessing the back-end software at different parts of the government and then using AI technology to extract and sift through information about spending on employees and programs.
βFeeding sensitive data into AI software puts it into the possession of a systemβs operator, increasing the chances it will be leaked or swept up in cyberattacks,β Post reporters wrote.
Wired reported in March that DOGE has deployed a proprietary chatbot called GSAi to 1,500 federal workers at the General Services Administration, part of an effort to automate tasks previously done by humans as DOGE continues its purge of the federal workforce.
A Reuters report last month said Trump administration officials told some U.S. government employees that DOGE is using AI to surveil at least one federal agencyβs communications for hostility to President Trump and his agenda. Reuters wrote that the DOGE team has heavily deployed Muskβs Grok AI chatbot as part of their work slashing the federal government, although Reuters said it could not establish exactly how Grok was being used.
Caturegli said while there is no indication that federal government or user data could be accessed through the exposed x.ai API key, these private models are likely trained on proprietary data and may unintentionally expose details related to internal development efforts at xAI, Twitter, or SpaceX.
βThe fact that this key was publicly exposed for two months and granted access to internal models is concerning,β Caturegli said. βThis kind of long-lived credential exposure highlights weak key management and insufficient internal monitoring, raising questions about safeguards around developer access and broader operational security.β
On April 9, Twitter/X began automatically modifying links that mention βtwitter.comβ to read βx.comβ instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links β such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.
The message displayed when one visits goodrtwitter.com, which Twitter/X displayed as goodrx.com in tweets and messages.
A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in βtwitter.com,β although research so far shows the majority of these domains have been registered βdefensivelyβ by private individuals to prevent the domains from being purchased by scammers.
Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, βAre you serious, X Corp?β
Update: It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in βtwitter.comβ to βx.com.β
Original story:
The same message is on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.
A number of these new domains including βtwitter.comβ appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was βacquired to prevent its use for malicious purposes,β along with a Twitter/X username.
The domain mentioned at the beginning of this story β fedetwitter.com β redirects users to the blog of a Japanese technology enthusiast. A user with the handle βamplest0eβ appears to have registered space-twitter.com, which Twitter/X users would see as the CEOβs βspace-x.com.β The domain βametwitter.comβ already redirects to the real americanexpress.com.
Some of the domains registered recently and ending in βtwitter.comβ currently do not resolve and contain no useful contact information in their registration records. Those include firefotwitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and webetwitter[.]com (webex.com).
The domain setwitter.com, which Twitter/X until very recently rendered as βsex.com,β redirects to this blog post warning about the recent changes and their potential use for phishing.
Sean McNee, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.
βBad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity β many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,β McNee said. βIt is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.β
The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeleyβs School of Information, summed up the Schadenfreude thusly:
βTwitter just doing a βredirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.comβ is not absolutely the funniest thing I could imagine but itβs high up there.β
What does a hacker want with your social media account? Plenty.Β
Hackers hijack social media accounts for several reasons. Theyβll dupe the victimβs friends and followers with scams. Theyβll flood feeds with misinformation. And theyβll steal all kinds of personal informationβnot to mention photos and chats in DMs. In all, a stolen social media account could lead to fraud, blackmail, and other crimes.Β
Yet you have a strong line of defense that can prevent it from happening to you: multi-factor authentication (MFA).Β
MFA goes by other names, such as two-factor authentication and two-step verification. Yet they all boost your account security in much the same way. They add an extra step or steps to the login process. Extra evidence to prove that you are, in fact, you. Itβs in addition to the usual username/password combination, thus the βmulti-factorβ in multi-factor authentication.Β Β
Examples of MFA include:Β
With MFA, a hacker needs more than just your username and password to weasel their way into your account. They need that extra piece of evidence required by the login process, which is something only you should have.Β
This stands as a good reminder that you should never give out the information you use in your security questionsβand to never share your one-time security codes with anyone. In fact, scammers cobble up all kinds of phishing scams to steal that information.Β
Major social media platforms offer MFA, although they might call it by other names. As youβll see, several platforms call it βtwo-factor authentication.βΒ Β
Given the way that interfaces and menus can vary and get updated over time, your best bet for setting up MFA on your social media accounts is to go right to the source. Social media platforms provide the latest step-by-step instructions in their help pages. A simple search for βmulti-factor authenticationβ and the name of your social media platform should readily turn up results.Β
For quick reference, you can find the appropriate help pages for some of the most popular platforms here:Β
Another important reminder is to check the URL of the site youβre on to ensure itβs legitimate. Scammers set up all kinds of phony login and account pages to steal your info. Phishing scams like those are a topic all on their own. A great way you can learn to spot them is by giving our Phishing Scam Protection Guide a quick read. Itβs part of our McAfee Safety Series, which covers a broad range of topics, from romance scams and digital privacy to online credit protection and ransomware.Β Β
In many ways, your social media account is an extension of yourself. It reflects your friendships, interests, likes, and conversations. Only you should have access to that. Putting MFA in place can help keep it that way.Β
More broadly, enabling MFA across every account that offers it is a smart security move as well. It places a major barrier in the way of would-be hackers who, somehow, in some way, have ended up with your username and password.Β
On the topic, ensure your social media accounts have strong, unique passwords in place. The one-two punch of strong, unique passwords and MFA will make hacking your account tougher still. Wondering what a strong, unique password looks like? Hereβs a hint: a password with eight characters is less secure than you might think. With a quick read, you can create strong, unique passwords that are tough to crack.Β
Lastly, consider using comprehensive online protection software if you arenβt already. In addition to securing your devices from hacks and attacks, it can help protect your privacy and identity across your travels onlineβboth on social media and off.Β Β Β
The post How to Protect Your Social Media Passwords from Hacks and Attacks appeared first on McAfee Blog.
Authored by: Vallabh Chole and Yerko Grbic
On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as βXβ. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms.Β
Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to βtwitter-xβ and βtwitter fundβ to promote scam links with new X branding.Β
Figure 1. Twitter-X-themedΒ YouTube Live Stream by scammerΒ
Β
Figure 2. Twitter X Crypto ScamΒ
Β
This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealingΒ malware as email attachments. When password stealer malware is executed, the influencerβs session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems.Β
Figure 3. Malware Flow ChartΒ Β
Β
After the influencerβs account has been compromised, the scammer starts to rename channels, in this case to βTwitter CEOβ and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as βThanks Mr.Elonβ. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.
Β McAfee+Β provides all-in-one online protection for yourΒ identity, privacy, and security. With McAfee+, youβll feel safer online because youβllΒ have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.
Figure 4. McAfee WebAdvisor detectionΒ
Β
Below is a detection heatmap for scam URLβs targeting twitter-x and promoting crypto scams.Β Β Β
Figure 5. Scam URL Detection HeatmapΒ
Β
Figure 6. Password stealer HeatmapΒ
Β
| Scam Siteβ―Β | Crypto Typeβ―Β | Walletβ―Β | Β |
| twitter-x[.]orgΒ | ETHβ―Β | 0xB1706fc3671115432eC9a997F802aC79CD7f378aΒ | Β |
| twitter-x[.]orgΒ | BTCβ―Β | 1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsugΒ | Β |
| twitter-x[.]orgΒ | USDTβ―Β | 0xB1706fc3671115432eC9a997F802aC79CD7f378aΒ | Β |
| twitter-x[.]orgΒ | DOGEβ―Β | DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9JΒ | Β |
Β
The post Scammers Follow the Rebranding of Twitter to X, to Distribute Malware appeared first on McAfee Blog.
FreshRSS 