AI Malware strikes curl developers

Image by: securitybydefault.com, Creative Commons

The scourge of misused AI¹ (so-called) is attacking the developers of the Linux curl project in a new and so far unique DOS attack.

Curl, like wget, is a tool that can be used directly on the command line or in scripts, to easily download files from remote web hosts. The attacks themselves seem to be bug reports submitted through HackerOne, a site that provides bug reporting services for other organizations — one of which is the Curl project.

All of the AI generated bug reports have been shown to be bogus. No such bug exists.

So far the Curl project has only received these via HackerOne and none of their other channels. This is probably because HackerOne uses AI to “assist” users in submitting bug reports. The motive for bombarding a project with AI-generated bug reports is the “bug bounty” offered on the HackerOne and Curl web sites. These bad actors are hoping to score the bounty by submitting a large number of bug reports on the chance that one or more will lead to a real bug. In 2024 the Curl project paid about $2,400US per verified, mid-range security bugs so there is a decent payoff for finding a real bug.

Daniel Stenberg, creator of the Curl project, and it’s current leader, is understandably angry about the resources wasted by his team while investigating these false reports and has “put his foot down” in a post on LinkedIn. I include the entire post here but you can see the rest of the thread here.

That's it. I've had it. I'm putting my foot down on this craziness.

1. Every reporter submitting security reports on #Hackerone for #curl now needs to answer this question:

"Did you use an AI to find the problem or generate this submission?"

(and if they do select it, they can expect a stream of proof of actual intelligence follow-up questions)

2. We now ban every reporter INSTANTLY who submits reports we deem AI slop. A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time.

We still have not seen a single valid security report done with AI help.

You might already know that I dismiss the idea that we have anything close to AI and that it’s all just clever programming. I am convinced that Robbie the Robot should be the standard by which we measure true AI. Forget that “Lost in Space” garbage and watch the film, “Forbidden Planet.”

While proponents of AI contend that AI can be used to save time and effort for humons, this event shows that it can easily be used maliciously, or worse, carelessly, to waste time.

AI is also touted as a boon for programmers, yet most of the instances I’ve read about seem to produce code that might look good on the surface, but which is pure garbage. So anyone using AI to create code should examine such code carefully to understand what it really does, even if the output seems correct in testing. Teaching AI with maliciously constructed code will create new threat profiles for programmers using that AI.

Read the original article at arsTECHNICA for more details about the Curl project’s problems with AI slop.

All this clever programming will bury humons in a pile of AI-generated excrement before we can ever get to real AI.

1. You should mentally add quotes around all uses of “AI” in this article and imagine the sounds of sarcasm as you read the term. ↩︎