How I Tricked a Server (with AI) Into Leaking Its Secrets

The writer, who is a cyber security researcher, was looking for potential data leakage points within a large target organisation, which they call ‘Schmexample’.com.
Rather than exploring the myriad of potential endpoints manually, they used ChatGPT to suggest common naming patterns for sensitive endpoints.
These suggestions were then used to automate the exploration using a tool called FFUF, which stood up the endpoints that were most obviously sensitive and contained potential data leakage points.
Among these endpoints was /logs/debug.log, which on sounding revealed exposed internal logs containing API keys and internal IP addresses.
The vulnerability has since been reported to the organisation in question.

Fast Feed