AIs Hacking Websites – Schneier on Security

3 months ago AndyC

AIs Hacking Websites
New research:

LLM Agents can Autonomously Hack Websites
Abstract: In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e.

AIs Hacking Websites

New research:

LLM Agents can Autonomously Hack Websites

Abstract: In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents.

In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs.

Tags: , , ,

Sidebar photo of Bruce Schneier by Joe MacInnis.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , ,

More Stories

million reward offer for apprehension of unmasked LockBit ransomware leader

$10 million reward offer for apprehension of unmasked LockBit ransomware leader

4 hours ago AndyC
Dell discloses data breach impacting millions of customers

Dell discloses data breach impacting millions of customers

10 hours ago AndyC
FBI Warns US Retailers That Cybercriminals Are Targeting Their Gift Card Systems

FBI Warns US Retailers That Cybercriminals Are Targeting Their Gift Card Systems

10 hours ago AndyC

How Criminals Are Using Generative AI

10 hours ago AndyC
Mirai botnet also spreads through the exploitation of Ivanti Connect Secure bugs

Mirai botnet also spreads through the exploitation of Ivanti Connect Secure bugs

16 hours ago AndyC
Zscaler is investigating data breach claims

Zscaler is investigating data breach claims

16 hours ago AndyC

You may have missed

Rapid7 unveils patented ransomware prevention technology

Rapid7 unveils patented ransomware prevention technology

54 mins ago AndyC
Exclusive: How AvePoint is tackling complex data management

Exclusive: How AvePoint is tackling complex data management

4 hours ago AndyC
Cloudflare launches comprehensive suite for cyber risk management

Cloudflare launches comprehensive suite for cyber risk management

4 hours ago AndyC
ManageEngine integrates Log 360 with Constella for dark web monitoring

ManageEngine integrates Log 360 with Constella for dark web monitoring

4 hours ago AndyC
<div>CrowdStrike & NinjaOne unite for comprehensive cyber defence</div>

CrowdStrike & NinjaOne unite for comprehensive cyber defence

4 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.