Study Finds AI Code Tools Like Copilot and CodeWhisperer Can Leak Secret Credentials

Researchers found that AI code completion tools like GitHub Copilot and Amazon CodeWhisperer can reveal hardcoded credentials captured during training.
The tools were coaxed to emit API keys, tokens, and other secrets by prompting them to fill in missing credentials in code snippets.
Around 33% of Copilot's suggestions and 18% of CodeWhisperer's contained valid secrets, though only a small subset were active credentials.
A few secrets generated were exact copies of those used to create the prompts.
The findings reveal privacy risks, as models can expose inadvertently collected secrets. Developers should use caution and security practices with AI coding assistants.

theregister.com

Relevant topic timeline:

8/3/2023

GitHub Copilot can now tell developers when its suggestions match code in a public repository

The main topic is the launch of a code referencing feature for GitHub Copilot. The key points are: 1. GitHub Copilot previously had a feature that automatically blocked suggestions of matching public code. 2. GitHub has now launched a private beta of a code referencing feature that shows matching code to developers in a sidebar, allowing them to decide what to do with it. 3. This feature will also be added to Copilot Chat in the future. 4. The original blocking feature was seen as a blunt tool, limiting developers' control and preventing them from exploring libraries and submitting pull requests. 5. The code referencing feature allows developers to reject, use directly, or have Copilot rewrite the code to avoid matching the original code. 6. Currently, it is not possible to filter results based on specific licenses, but the team is open to feedback on this. 7. The feature is more likely to generate matching code when there is less context available for Copilot to work with. 8. The feature utilizes a fast search engine to quickly find matching code and its license. 9. The order of the matching code snippets is based on the search engine's findings, but GitHub may add sorting functionality in the future.

9/20/2023

GitHub Launches Public Beta of AI Coding Assistant Copilot Chat

GitHub is expanding its AI-powered coding chatbot, Copilot Chat, to individual users, allowing them to receive coding assistance and answers to coding questions within the IDE.

10/11/2023

Copilot's Broad Access Raises Concerns for Microsoft 365 Data Security

Microsoft Copilot, an AI assistant that lives within Microsoft 365 apps, has the ability to access and compile sensitive data, posing potential risks for information security teams.

Topics

Posted 9/19/2023, 10:45:00 AM