Cybercrooks Scrape OpenAI API Keys to Pirate GPT-4

  /     /     /  
Publicated : 23/11/2024   Category : security


Cybercrooks Scrape OpenAI API Keys to Pirate GPT-4


With more than 50,000 publicly leaked OpenAI keys on GitHub alone, OpenAI developer accounts are the third-most exposed in the world.



Yesterday, moderators of the r/ChatGPT Discord channel banned a script kiddie who was freely sharing stolen OpenAI API keys with hundreds of other users.
API keys allow developers to integrate OpenAIs technologies — particularly its latest language model, GPT-4 — into their own applications. Often, however, developers
forget their keys in their code
, making account theft a matter of just a few clicks.
Since at least March, a user by the name Discodtehe has been scraping API keys from source code published to the software collaboration platform Replit. The person shared free access to the booty on r/ChimeraGPT, where a community of more than 800 members began racking up usage charges to the stolen accounts.
Following
Vice reporting on June 7
, Discodtehe can no longer be found on Discord or Reddit. But the story isnt over, experts emphasize: Tens of thousands of exposed API keys are still out in the wild.
The core of the story is: Dont put credentials in your source code, says Chris Anley, chief scientist at NCC Group. And certainly dont then publish that source code.
As
ChatGPT exploded in popularity
, its keys began proliferating on the open Web.
In
The State of the Secrets Sprawl 2023 report
, published March 8, GitGuardian observed thousands of exposed OpenAI keys in public repositories, rising in proportion to the newfound popularity ChatGPT.
As of this writing, GitGuardian tells Dark Reading there are more than 50,000 publicly leaked OpenAI keys on GitHub alone. That makes OpenAI developer accounts the third most exposed in the world, behind only MongoDB and Google.
With vulnerability has come exploitation: cybercriminals have been trafficking stolen OpenAI keys ever since, often
out in the open on social platforms
. Individuals can use the stolen keys to use the associated accounts, accruing large bills for the owner and possibly
accessing sensitive business data
along the way.
What enables this market isnt just developers lack of due diligence, but also the ease with which anybody can find this information in public forums. Back in March, according to Vice, Discodtehe bragged how the other day I scraped repl.it and found over 1000 working openai api keys, adding that, I didnt even do a full scrape, I only looked at about half of the results.
They probably werent exaggerating. On a Zoom call, Dwayne McDaniel, security developer advocate at GitGuardian, demonstrated how easy it wouldve been. I signed up for a Replit account a couple of minutes ago, and it took me less than two minutes to find OpenAI keys, he said.
In any repository management system — be it GitHub, Replit, what have you — theres a search function. And search functions have only gotten better over time. So I looked for openapi.key, openai.api.key, and so on, and it brought back search results, he explained.
Enterprises problem with hard-coded secrets doesnt always end with low-level hackers and Discord users.
As Anley explains: One of the reasons why its so serious when people put credentials in code is that even in relatively placid times, tech industry turnover runs around 20% per annum. So if all of your most sensitive secrets are hard coded in your private corporate repositories, that means that, every year, 20% of your developers are walking out with administrative credentials to your systems in their back pocket. And thats without any breach happening!
Current and former employees can divulge corporate goodies
by accident,

or with malicious intent
.
But keeping secrets doesnt have to be hard. OpenAI even provides
a handy guide to it
, recommending that organizations assign unique keys to each individual user,
use environmental variables
and a key management service, rotate keys, and, of course, never include keys in code.
McDaniel echoes all of the same points. The proper thing would be to put your keys in a vault, he says, and to rotate often. Do it on a regular basis — every day, if youre very sensitive, and you know that youve been targeted before. Third-party tools can help that 24-hour rotation.
At the end of the day, he concludes, the best secrets you can ever have are ones that either just dont exist, or that you never actually know yourself because theyre rotated automatically.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cybercrooks Scrape OpenAI API Keys to Pirate GPT-4