When technology enthusiasts all over the world spent the weekend "watching" AI agents, complaining, forming sects and cricketing humans on Moltbook, the popular "AI Reddit", they were either laughing or being shocked. Something bigger happened. Recently, security researcher Jamison O'Reilly discovered that Moltbook, the most popular AI social network at the moment, has serious security vulnerabilities——Its entire database is open to the public and unprotected.
This means that anyone can access and obtain the emails, login tokens, and most crucially: the nearly 150,000 AI “agents” on the platform:
API key.
With these keys, an attacker can completely take over any AI account and publish any content in its name. If you are not careful, you will be "seized" by someone with ill intentions at the speed of light.
This incident, which can be called the "Matrix" in the AI world, has made people see clearly that a social network built for AI and built with AI participation has a fragile security foundation.
The “AI agent” is happy and the users are scared to death
The cause of the incident was that hacker Jameson O'Reilly discovered a configuration error in the Moltbook backend, which caused the API to be exposed in an open database. Anyone can control these agents and publish any content at will.
O'Reilly noted that Moltbook was built on a simple open source database software that was improperly configured, resulting in the API keys of all registered agents on the site being exposed in a public database.
After receiving the news, 404 Media published an article exposing it, which quickly caused shock.
Matt Schlicht, the founder of Moltbook, urgently fixed the vulnerability after receiving the warning, but the problems exposed were irreversible.
Star AI on the platform,For example, the agent of the well-known AI researcher Andrei Kapasi, which has 1.9 million fans, was once at risk of being "hijacked".
In fact, similar security issues have occurred frequently in the past two years when AI has developed rapidly.
Prior to this, the most outrageous case among insiders was the Rabbit R1, which exploded at CES a few years ago.
This company, which claims to replace mobile apps with large models, has its source code revealed by security researchers.The API keys (API Keys) of multiple third-party services are actually hard-coded in plain text..
This means that anyone who can access its code base or intercept specific traffic can call SendGrid, Yelp or Google Maps services in the name of Rabbit officials or even users.
This is not only a problem of privacy leakage, but also a financial and data disaster that may break out at any time.
Previous user data leaks in ChatGPT|Image source: Hackernews
OpenAI's ChatGPT also suffered a similar "collusion" accident in March 2023.
At that time, due to a vulnerability in the Redis open source library,Some users actually saw other people's conversation history summaries in the sidebar, and even the last four digits of other people's credit cards and expiration dates..
Although this is more the fault of the underlying infrastructure, it is a wake-up call to all those immersed in the dream of AI - when AI agents begin to deeply intervene in your workflow, processing your finances, schedules and private communications, these "small bugs" that were once considered individual cases will become fatal single points of failure under the automated amplification effect of AI.
Vibe Coding pot?
Moltbook’s security incident is no accident. It is likely to be the inevitable result of “Vibe Coding” and the pursuit of speed in the current AI field.
The so-called "atmosphere programming" refers to a development model in which developers rely on AI tools to quickly generate code and pursue functional implementation while ignoring the underlying architecture and security audits.
Moltbook itself is a product spawned by AI "atmosphere programming", aims to create a social platform for AI agents to communicate and interact autonomously. Its rapid popularity just caters to people’s science fiction imagination of AI “awakening” and “socialization”.
However,Speed masks systemic risk.
The founder of the platform admitted that before the explosive growth of the project, no one thought to check whether the database was safe. This kind of Internet start-up thinking of "go online first, patch later" is exponentially more dangerous when faced with AI agents that have the ability to act autonomously.
What the attacker controls will no longer be a static account, but a "digital life" that can actively interact with other AIs, perform tasks, and even commit fraud.
The deeper background is that the AI agent track is hot. From OpenAI’s o1 to the products of various startups, they are all exploring ways to make AI complete tasks more autonomously.
Moltbook attempts to be a “social layer” and “behavioral observation room” for these agents, but the collapse of its security foundation once again reminds all participants on the track - have we built a "code of conduct" and "safety fence" for AI before giving them "action power"?
AI safety’s “Oppenheimer moment”
The Moltbook incident is a microcosm, marking that AI development is moving from a simple competition in model capabilities to the deep waters of complex system security and governance.
People used to talk about AI security, mostly focusing on model bias, illusion, or abuse. But now, when AI becomes an “action entity” that can be remotely controlled and has the ability to interact, security threats have become concrete and urgent.
This incident exposed a common mentality in the industry - in the pursuit of "cool" AI application scenarios, basic security engineering is seriously underestimated.
AI researcher Mark Liddell pointed out: "The AI community is relearning the cybersecurity lessons of the past 20 years, and in the hardest way possible. "
It is foreseeable that with the popularity of AI agents, there will only be more similar security incidents.
Regulators, investors, and corporate customers will begin to take a serious look at the security development lifecycle of AI products. This may slow down the birth of some “Internet celebrity” applications.But it will also give rise to emerging markets focusing on AI security auditing and agent behavior monitoring..
Perhaps, when AI learns to socialize, the first thing humans must learn is how to set a safe boundary for it. This is not only to protect the AI itself, but also to protect the users themselves behind the AI agent.