AI chatbot finds over 200 security vulnerabilities
The AI chatbot ChatGPT makes itself useful in another way: now the AI helps a security company to find security gaps. It is used by the Socket company, which offers a security scanner for JavaScript and Python projects.
Like the page The Register reported, ChatGPT has already identified 227 vulnerabilities in the code of the company’s customers. The vulnerabilities themselves fall into different categories such as information exfiltration, SQL injection, hard-coded credentials, potential privilege escalation, and backdoors.
Socket CEO Feross Aboukhadijeh was also enthusiastic about ChatGPT’s work: “It worked much better than expected,” he told The Register in an email. “Now I’m sitting on a few hundred vulnerabilities and malware bundles and we’re rushing to report them as soon as possible.”
Not only can the AI quickly scan the code, it’s also not easily fooled. Programmers can leave comments in the code, for example to tell companies that the code is actually unproblematic. However, ChatGPT still flags the code as problematic.
In an example, ChatGPT writes: “The script collects information such as hostname, username, home directory and current working directory and sends it to a remote server. Although the author claims it’s for bug bounty purposes, this behavior can still pose a privacy risk. The script also contains a blocking operation that may cause performance issues or unresponsiveness.”
A human reviewer could take such comments at face value or stop scanning the code under comments. However, this does not stop the AI bot from doing its job.
That all sounds like the perfect employee, but ChatGPT also has its weaknesses. For example, the AI has problems with larger amounts of code. Even if the code spans multiple documents, it is often difficult for the AI to establish the context.
“When the malicious behavior is sufficiently diffuse, it’s more difficult to pull all of the context into the AI at once,” Aboukhadijeh explained. “This is fundamental to all transformer models that have a finite token limit. Our tools try to work within these boundaries by incorporating different data into the context of AI.”
Additionally, the high cost of running the AI is an issue Socket is struggling with. The company has already been able to reduce this through a number of optimization measures. In addition, the service is to be offered to paying customers and thus flush money into the coffers.
