I wonder how much of this is vibe coded? Didn't see any estimate of that from skimming.
It's a bit surprising, Claude, ChatGPT, Gemini and even Grok writes extremely robust and defensive C and C++ when I test them (various custom parsers and networking clients/servers), you'd think they'd do better in more web-native languages and with frameworks etc.
Original title: Your Space is My Zone: Demystifying the Security Risks of AI-Powered Applications on Pre-Trained Model Hubs
Remarking conclusion: "Alarmingly, we find thousands of apps leaking credentials, hundreds containing input injection vulnerabilities that allow arbitrary code execution, and tens harboring embedded backdoors—indicating active exploitation." AI use for creating applications seems insecurity by default...
It's a bit surprising, Claude, ChatGPT, Gemini and even Grok writes extremely robust and defensive C and C++ when I test them (various custom parsers and networking clients/servers), you'd think they'd do better in more web-native languages and with frameworks etc.
Remarking conclusion: "Alarmingly, we find thousands of apps leaking credentials, hundreds containing input injection vulnerabilities that allow arbitrary code execution, and tens harboring embedded backdoors—indicating active exploitation." AI use for creating applications seems insecurity by default...