"Cybersecurity researchers have revealed two critical flaws in Wondershare RepairIt, an AI-powered repair tool used by millions, that open the door to massive supply chain attacks. Trend Micro disclosed the details last week, and says RepairIt "contradicted its privacy policy by collecting, storing, and, due to weak Development, Security, and Operations (DevSecOps) practices, inadvertently leaking private user data." The vulnerabilities carry CVSS scores of 9.1 and 9.4, which are among the worst seen in consumer AI apps this year."
"RepairIt was keeping user files in unsecured cloud storage without encryption, despite explicitly assuring users their data would not be stored at all. This is a potential catastrophe because of the attack path. Because RepairIt automatically pulls AI models from the compromised cloud storage, attackers could swap or tweak those models and quietly infect users. The reality is that one update could lead to countless victims."
Two critical vulnerabilities in Wondershare RepairIt expose users to massive supply-chain attacks. The flaws carry CVSS scores of 9.1 and 9.4. RepairIt stored user files in unsecured cloud storage without encryption despite promising that data would not be stored. Developers hardcoded overly permissive cloud access tokens into the application's source code, granting read and write access to sensitive cloud storage. RepairIt automatically pulls AI models from that cloud storage, allowing attackers to swap or modify models and deliver malicious updates. A single compromised model or update could silently infect countless users and compromise millions of devices.
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]