SAP AI Core

2024: Software holes for years have allowed hackers to steal cloud user data

On July 17, 2024, the Wiz Research Team announced the discovery of vulnerabilities in the SAP AI Core platform, designed to work with artificial intelligence models. The holes allegedly allowed hackers to steal user data for years.

The process of training corporate AI systems, as noted, requires access to a huge amount of confidential customer data. Therefore, the corresponding services become an attractive target for attackers. In addition, the SAP AI Core platform provides integration with various cloud services. At the same time, the customer code is executed in the general SAP environment, which creates additional risks of information leakage.

Bloomberg

In total, Wiz Research Team specialists have discovered five vulnerabilities in SAP AI Core. By exploiting the holes, attackers can gain access to other users' modules and steal sensitive information such as training datasets and code. In addition, cybercriminals can interfere with the operation of client modules, distort AI data and manipulate results. The problems arise because the platform allows malicious AI models and training procedures to be run without adequate isolation and sandbox mechanisms. SAP was informed about the presence of vulnerabilities in January 2024, and by May of this year, the detected problems were finally fixed.

This study demonstrates the unique challenges that come with working with AI. Training models of artificial intelligence by definition requires the launch of arbitrary code, and therefore it is necessary to use special protective mechanisms that ensure that such code is separated from internal IT resources, the Wiz Research Team experts emphasize.[1]

Notes