PromptRiskDBThreat intelligence atlas

ClearviewAI Misconfiguration - AI Case Study

AI Case Study

Clearview AI makes a facial recognition tool that searches publicly available photos for matches. This tool has been used for investigative purposes by law enforcement agencies and other parties. Clearview AI's source code repository, though password protected, was misconfigured to allow an arbitrary user to register an account. This allowed an external researcher to gain access to a private code repository that c...

Overview

Case steps4Steps described in the case record.
Techniques4Attack methods mentioned in the case steps.
Linked CVEs0Known vulnerabilities mentioned in the record.

Risk patterns

Patterns found in the case record and its linked vulnerabilities.

  • 1Dominant ATLAS tactic. Resource Development appears in 2 case steps.
  • 2Multiple attack methods. The case connects to 4 unique AI attack methods.

Procedure timeline

Search the case steps or filter them by attacker goal.

Resource Development2Collection1Impact1
  1. Resource Development

    A security researcher gained initial access to Clearview AI's private code repository via a misconfigured server setting that allowed an arbitrary user to register a valid account.

  2. Collection

    The private code repository contained credentials which were used to access AWS S3 cloud storage buckets, leading to the discovery of assets for the facial recognition tool, including: - Released desktop and mobile applications - Pre-release applications featuring new capabilities - Slack access tokens - Raw videos and other data

  3. Impact

    As a result, future application releases could have been compromised, causing degraded or malicious facial recognition capabilities.

Mitigations

Defenses connected to the attack methods in this case.

Adversarial Input Detection

Detect and block adversarial inputs or atypical queries that deviate from known benign behavior, exhibit behavior patterns observed in previous attacks or that come from potentially malicious IPs. Incorporate adversarial detection algorithms into the AI system prior to the AI model.

Input Restoration

Preprocess all inference data to nullify or reverse potential adversarial perturbations.

Limit Public Release of Information

Limit the public release of technical information about the AI stack used in an organization's products or services. Technical knowledge of how AI is used can be leveraged by adversaries to perform targeting and tailor attacks to the target system. Additionally, consider limiting the release of organizational information - including physical locations, researcher names, and department structures - from which technical details such as AI techniques, model architectures, or datasets may be inferred.

Model Hardening

Use techniques to make AI models robust to adversarial inputs such as adversarial training or network distillation.

Showing 4 of 5

Source evidence

Original public records and references for this case.

Original source

Original source links

Open the MITRE ATLAS data and public references used for this case study.