AI chatbot tracks over 200 vulnerabilities – t3n – Digital Pioneers

The chatbot can crawl the code. (Photo: Shutterstock/Katerina Rica)

ChatGPT’s AI-powered chatbot makes itself useful in another way: Now AI helps a security company find security holes. It is used by the company Socket, which provides a security scanner for JavaScript and Python projects.

like side log I mentioned that ChatGPT has already identified 227 vulnerabilities in the company’s client code. The vulnerabilities themselves fall into different categories such as information theft, SQL injection, encrypted credentials, potential privilege escalation, and backdoors.

Virus Abu Khadija, CEO of Socket, was also enthusiastic about making ChatGPT: “It worked much better than expected,” he told The Register in an email. “Now I have a few hundred vulnerabilities and malware packages and we are rushing to report them as soon as possible.”

Not only is the AI ​​capable of scanning code quickly, but it can’t be easily fooled. Programmers can leave comments in the code, for example to tell companies that the code is actually not problematic. However, ChatGPT still flags the code as problematic.

In an example, ChatGPT wrote: “The script collects information such as hostname, username, home directory, and current working directory and sends it to a remote server. Although the author claims that for bug bounty purposes, this behavior is still a privacy risk. The script also contains a blocking process that may cause performance issues or become unresponsive.”

The human reviewer can take such comments at face value or stop scanning the code under the comments. However, this does not prevent the AI ​​bot from doing its job.

This all sounds like the perfect employee, but ChatGPT also has its weaknesses. For example, AI has problems with larger amounts of code. Even if the code spans multiple documents, it is often difficult for the AI ​​to generate the context.

“When malicious behavior is widespread enough, it’s hard to pull all the context into the AI ​​at once,” Abu Khadija explained. “This is central to all adapter models that have a finite symbolic limit. Our tools try to work within these limits by integrating different data in the context of artificial intelligence.”

In addition, the high cost of running artificial intelligence is a problem that socket faces. The company has already managed to reduce this through a number of improvement measures. In addition, the service is provided to paying customers, thus money is pumped into the coffers.