Google’s Threat Intelligence Group said it had for the first time caught hackers using AI to discover and exploit a so-called zero-day vulnerability, or a security flaw the software’s developer does not yet know exists and for which no fix is available.
it you want the insight of a real hacker who knows how to find a zero day and tried using AI to do it, watch this video: https://youtu.be/BLqRiL_GY3A
TL;DR: it’s possible, if you pre chew it for AI (it’s very bad at decompiling), focus on a known type of vulnerabilities (so you’re already an expert because you know how it looks like and can direct the AI to look for that pattern), you end up spending a big amount of money for an exploit on a piece of software where its maintainer doesn’t have a bug bounty or pay so low that it’s not even covering the tokens used on the LLM.
Do these news ever come out from somebody else than an AI salesperson?
By the way, I feel we still need more info on the entire AI vulnerability scanning. Mozilla and Anthropic have this cooperation and they tell some big numbers.
On the other hand, for example Daniel Stenberg from CURL isn’t impressed: Mythos finds a CURL vulnerability, The Pressure
But I guess we’ll find out anyway. Usually, the truth is somewhere between the extremes and way more complicated than people’d think. But yeah, guess it is a tool for script kiddies and nebulous North Korean hackers.
If only anyone but hackers had access to these tools to fix said flaws. Ah shucks!
