BIGFISH TECHNOLOGY LIMITED
06 June 2024

Secrets of the Hugging Face Hack
Hugging Face, an AI tool development platform, uncovered a Spaces breach that exposed secrets

Hugging Face, an AI tool development business, warned clients on Friday that it had identified unauthorized access to its Spaces platform.

Hugging Face Spaces enables users to construct and share machine learning (ML) apps and demos with others.

According to the business, illegal access to the Spaces platform may have revealed "a subset of Spaces' secrets".

In response, it canceled the tokens contained in the compromised secrets and contacted affected users.

"We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default," Hugging Face wrote on its website.

The corporation has hired external forensics specialists to help conduct the investigation and has contacted law enforcement and data protection authorities.

Hugging Face stated, "Over the past few days, we have made other significant improvements to the security of the Spaces infrastructure, including implementing key management service (KMS) for Spaces secrets, robustifying and expanding our system's ability to identify leaked tokens and proactively invalidate them, and more generally improving our security across the board. We also completely removed org tokens, which increased traceability and audit capabilities."

As soon as fine-grained access tokens achieve feature parity, "we also plan to completely deprecate 'classic' read and write tokens in the near future," the statement continued.

Over 1,600 Hugging Face API tokens that gave access to hundreds of businesses' accounts were found exposed in code repositories by an AI security startup in late 2023.

 

Source: SecurityWeek