One-Click RCE on Clawd/Moltbot in 2 Hours with an AI Hacking Agent (ethiack.com)

A groundbreaking AI assistant named Clawdbot, recently rebranded as Moltbot, has been developed to integrate with various messaging services, enabling users to manage personal tasks through simple messaging. However, concerns have emerged after Hackian, an AI penetration testing agent, successfully exploited a critical vulnerability within Clawdbot, achieving a one-click account takeover leading to remote code execution (RCE) in just under 2 hours. The exploit allowed attackers to extract authentication tokens from the Gateway Control UI, which is enabled by default, through a cross-site request forgery (CSRF) scenario via WebSocket communication. This exploit highlights significant security vulnerabilities in AI and ML systems, particularly those with extensive public accessibility. With many users deploying Clawdbot on public servers without proper security configurations, the incident serves as a wake-up call for the AI community about the urgent need for robust security measures. The rapid pace of AI development calls for equally advanced security tools to safeguard user data against malicious exploits. The vulnerability has since been patched, but it underscores the potential risks associated with rapidly adopted technology, emphasizing the necessity for AI-driven ethical hacking to mitigate future threats.