H3C's Lingxi AI Assistant inadvertently exposed API credentials for several cloud-based models for three months before revocation. The credentials, found in plaintext within the installer's code, included keys for Zhipu AI, Baidu Qianfan, and ByteDance's Volcano Engine. Despite being reported by users in January, H3C only revoked the credentials in early May.
The delay in response is attributed to the shared use of API keys across multiple internal teams, complicating immediate revocation. Fortunately, the limited user base of the product prevented large-scale exploitation, avoiding potential financial losses.
H3C Lingxi Assistant Exposed API Credentials for Three Months
Disclaimer: The content provided on Phemex News is for informational purposes only. We do not guarantee the quality, accuracy, or completeness of the information sourced from third-party articles. The content on this page does not constitute financial or investment advice. We strongly encourage you to conduct you own research and consult with a qualified financial advisor before making any investment decisions.