AI Sec Watch

Anthropic has refused to let the U.S. Department of Defense use its AI technology for mass surveillance (monitoring large groups of people without individual suspicion), but FBI Director Kash Patel revealed that authorities can already conduct large-scale surveillance of Americans by purchasing data directly from private companies, bypassing the need for AI firms' cooperation.

Director Valerie Veatch explored OpenAI's Sora text-to-video generative AI model (software that creates videos from text descriptions) in 2024, hoping to connect with other artists in online communities. However, she discovered that the AI frequently generated images containing racism and sexism, and was disturbed that other AI enthusiasts seemed unconcerned about these biased outputs.

OpenClaw, an open-source AI assistant project, has become extremely popular and is enabling developers to build and run AI agents locally on personal computers rather than relying on expensive cloud services from major AI companies. This rapid growth has sparked concern that advanced AI models are becoming commodities, with the same capabilities now available cheaply through open-source alternatives instead of only through expensive proprietary services from companies like OpenAI and Anthropic.

Google has launched Gemini task automation, a feature that lets an AI assistant use apps on your phone to complete tasks for you, currently available on Pixel 10 Pro and Galaxy S26 Ultra phones in beta. The feature works with a limited number of services like food delivery and rideshare apps, and while it's slow and sometimes clunky, it represents an early example of an AI actually performing actions on a device rather than just answering questions.

Agentic AI (AI systems that can independently take actions) is expected to handle 15-25% of e-commerce by 2030, but this growth creates security risks for retailers. Threat actors may exploit AI agents to commit fraud such as gift card theft and returns fraud, with estimates suggesting one in four data breaches by 2028 could involve AI agent exploitation. Google has introduced the Universal Commerce Protocol (UCP), an open standard designed to enable secure payments between AI agents and retail systems, though the article emphasizes that defending against AI-enabled fraud remains a critical challenge for organizations.

OpenAI is running a limited test of ads on ChatGPT with major ad agencies, but the rollout is slower than partners expected, frustrating them since they committed large budgets ($200,000-$250,000 each) that may not be fully spent by the March deadline. OpenAI says the slow pace is intentional to learn from users before expanding broadly, and recent data shows ad delivery is accelerating with a 600% increase in ads served by mid-March.

Langflow's /profile_pictures/{folder_name}/{file_name} endpoint has a path traversal vulnerability (a flaw where attackers use ../ sequences to access files outside the intended directory). The folder_name and file_name parameters aren't properly validated, allowing attackers to read the secret_key file across directories. Since the secret_key is used for JWT authentication (a token system that verifies who you are), an attacker can forge login tokens and gain unauthorized access to the system.

The h3 library's EventStream class fails to remove carriage return characters (`\r`, a line break in the Server-Sent Events protocol) from `data` and `comment` fields, allowing attackers to inject fake events or split a single message into multiple events that browsers parse separately. This bypasses a previous fix that only removed newline characters (`\n`).

etcd (a distributed key-value store used in systems like Kubernetes) has multiple authorization bypass vulnerabilities that let unauthorized users call sensitive functions like MemberList, Alarm, Lease APIs, and compaction when the gRPC API (a communication protocol for remote procedure calls) is exposed to untrusted clients. These vulnerabilities are patched in etcd versions 3.6.9, 3.5.28, and 3.4.42, and typical Kubernetes deployments are not affected because Kubernetes handles authentication separately.