Nepali Researchers Uncover Critical Security Flaw in Chinese AI System
Kathmandu, February 10 – Researchers from Nepali cybersecurity firm Cynical Technology Pvt. Ltd. have discovered a critical security vulnerability in the Chinese AI chatbot Qwen AI. This flaw allowed malicious hackers to bypass the email verification system and gain unauthorized access to user accounts.
Vulnerability in the OAuth System
According to the investigation, the vulnerability was found in Qwen AI’s OAuth verification process, which failed to authenticate user email addresses before creating or granting access to accounts. This loophole significantly increased the risk of account hacking by allowing attackers to use someone else’s email to gain unauthorized access.
OAuth is a third-party authentication system that enables users to sign up or log in securely through services like Google or Facebook. However, Cynical Technology’s report revealed that Qwen AI failed to verify email ownership during the OAuth process.
How the Flaw Worked
Cynical’s report stated that Qwen AI trusted email parameters sent through client-side requests without verifying them on the server-side. This allowed attackers to modify the email parameters in the URL to gain access to unauthorized accounts.
For example, when a user logged in through a Google account, Google would send user details such as email and profile information to Qwen AI. However, Qwen AI failed to verify these details on its server, creating a significant security risk.
Solution by Alibaba Team
Cynical Technology promptly informed Alibaba’s security team about this vulnerability. Alibaba investigated and fixed the issue by enhancing the authentication process, ensuring its security. The fix was acknowledged in Cynical’s official blog.
Potential Risks
This vulnerability could have led to several security threats, including:
- Account Takeover: Hackers could have hacked accounts using unverified emails.
- Phishing and Fraud: Attackers could use fake emails of reputable individuals or organizations to carry out phishing attacks.
- Identity Theft: Fake profiles could be created to deceive users.
- Legal Risks: The flaw could have violated privacy regulations like GDPR, exposing Qwen AI to legal challenges.
Cynical Technology’s Contribution
Cynical Technology has been actively identifying such critical flaws and notifying the concerned companies to enhance cybersecurity. The company continues to work towards strengthening cybersecurity both in Nepal and globally.