This has been a pivotal year for generative artificial intelligence (AI). The release of large language models (LLMs) have showcased how powerful the technology can be to make business processes more efficient. A lot of organizations are now in a race to adopt generative AI and train models on their own data sets.

Developing and training AI models can be a costly endeavor and they can easily become one of the most valuable assets a company might have. It’s therefore important to keep in mind that these models are susceptible to theft and other attacks, and the systems that host them need to have strong security protections and policies in place.

A recent vulnerability patched in MLflow, an open-source machine-learning lifecycle platform, highlights how easy it could be for attackers to steal or poison sensitive training data when a developer visits a random website on the internet from the same machine where MLflow runs. The flaw, tracked as CVE-2023-43472, was patched in MLflow 2.9.0.

Localhost attacks via rogue JavaScript code

Many developers believe that services bound to localhost — a computer’s internal hostname — cannot be targeted from the internet. However, this is an incorrect assumption according to Joseph Beeton, a senior application security researcher at Contrast Security, who recently held a talk on attacking developer environments through localhost services at the DefCamp security conference.

Beeton recently found serious vulnerabilities in the Quarkus Java framework and MLflow that allow remote attackers to exploit features in the development interfaces or APIs exposed by those applications locally. The attacks would only require the computer user to visit an attacker-controlled website in their browser or a legitimate site where the attacker managed to place specifically crafted ads.

Drive-by attacks have been around for many years, but they are powerful when combined with a cross-site request forgery (CSRF) vulnerability in an application. In the past hackers used drive-by attacks through malicious ads placed on websites to hijack the DNS settings of users’ home routers. Normally, browsers only allow JavaScript code to make requests to resources from the same origin (domain) as the script. A special mechanism called cross-origin resource sharing (CORS) can be used to override this restriction and allow scripts to make requests across different origins if specifically allowed by the target server.