Hiddenlayer, an IB company, has uncovered a vulnerability in the Safetensors conversion service provided by Hugging Face. This vulnerability allows attackers to intercept II models containing user data, potentially compromising the entire supply chain.
According to a report by Hiddenlayer, attackers can send malicious requests for a merger from the Hugging Face service to any repository on the platform. This means they can intercept models being transmitted through the conversion service, opening the door to modifying repositories undetected under the guise of the conversion bot.
Hugging Face is a popular collaboration platform that enables users to store, deploy, and train pre-trained machine learning models and datasets. Safetensors is a format developed by a company specifically for secure storage of tensors.
The analysis conducted by Hiddenlayer revealed that cybercuppies can use a Pytorch malicious binary file to intercept the conversion process and compromise the system it is deployed on. Additionally, the official token bot called sfconvertbot, intended for creating merger requests, can be exploited to send malicious requests to any repository on the platform, allowing attackers to tamper with models and insert backdoors.
Researchers point out that attackers can execute arbitrary code without the user’s knowledge when they attempt to convert their model. This could potentially lead to the theft of Hugging Face tokens, unauthorized access to internal models and datasets, and even data manipulation.
The severity of the issue is compounded by the fact that any user can submit a conversion request for a public repository, creating a significant risk of intercepting or altering widely used models and posing a threat to supply chains.