Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic.
In many cases, the path in was visible just by watching what the app sent: a plaintext API key, a reusable token, or a backend server that accepted requests with no key at all.
Whoever grabs it can send model requests on the developer’s account, and the developer pays the bill. Three months after the researchers warned the developers, only 28% had fixed it.
The work, from researchers at Wake Forest University, is the first in-depth study of the problem on iOS. It is striking partly because of how little effort the snooping took. The team used a tool they built, LLMKeyLens, that watches an app’s traffic and pulls out the credentials as they go by. No jailbreaking, no cracking the app open.
The key is the secret that lets the app call a service like OpenAI or Google Gemini. Embed it in the app, and it is exposed with every request the app makes.
All 282 fell into one of three groups:
- Plaintext keys (54 apps):Â the key is sent in the open, readable from a single captured request.
- No key needed (92 apps):Â the app routes requests through a server that answers anyone, with no check on who is asking. An open relay to a paid AI account.
- Replayable tokens (136 apps, the most common):Â the app hands out temporary access tokens instead of the raw key, the approach that is supposed to be safer, but the tokens leak in the same traffic and were usually still valid when captured. Some were not temporary at all, as the cases below show.
For 28 of the 54 plaintext-key apps, the same request also exposed the app’s hidden system prompt, the behind-the-scenes instructions that define what the assistant does and how the product works. One capture, two prizes.
The leaks span at least ten AI providers, with OpenAI the most common, and reach across 13 app categories. Productivity apps were the biggest group; health and fitness apps had the highest leak rate. Finance and medical apps, notably, leaked nothing. Most affected apps were small, but not all of them: one had more than two million user ratings.
This is not theoretical money. Stolen AI keys feed a practice the industry calls LLMjacking, where attackers run other people’s keys to get free model access. Sysdig calculated a worst-case scenario in which stolen credentials could run up more than $46,000 a day in AI charges.
The researchers notified all 282 developers and waited three months. Only 28% had clearly fixed it.
Another 23% were still wide open; the leaked access was working. The rest had gone offline, become unreachable, or returned errors. The token apps were often the worst: one popular app, with over 100,000 ratings, set its access token to expire in the year 2125, a hundred-year pass.
Another app’s one-hour token still worked 128 days after it had expired.
The…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
