Hugging Face partners with Wiz on AI security


Cybersecurity firm Wiz partners with Hugging Face to patch up vulnerabilities in the AI cloud provider’s architecture that could have put its customer data at risk.

Wiz said it had identified critical shortcomings in the Hugging Face AI infrastructure that could have compromised the provider and put its customer data at risk. Other providers of AI-as-a-Service, or AI cloud, could be similarly exposed, it warned.

“We believe those findings are not unique to Hugging Face and represent challenges of tenant separation that many AI-as-a-Service companies will face, considering the model in which they run customer code and handle large amounts of data while growing faster than any industry before,” Wiz said in a blog post.

Working in collaboration with Hugging Face, Wiz researchers were able to upload a malicious AI model to the platform and use it to obtain a foothold in the provider’s internal environment.

The model was crafted to act as an ordinary model with hidden backdoor functionality by interacting with the model using the Hugging Face Inference API. The backdoor AI model was executed and activated on the Hugging Face AI infrastructure.

According to Wiz, its researchers then used the backdoor to spawn a reverse shell to the internal environment. They escaped the Linux container and obtained high privileges in the Hugging Face internal AI infrastructure.

“Malicious models represent a major risk to AI systems, especially for AI-as-a-service providers because potential attackers may leverage these models to perform cross-tenant attacks,” Wiz said.

According to the firm, the potential impact of such an attack could be “devastating” as attackers may be able to access millions of private AI models and apps stored within the cloud.

In a separate blog post, Hugging Face said that all the issues related to the exploit were resolved. It called others in the field to “responsibly disclose” security vulnerabilities and bugs.

“The AI industry is rapidly changing and new attack vectors/exploits are being identified all the time,” it said.