Researchers at Wake Forest University tested 444 AI chatbot apps for iPhone and found that 282 of them (nearly two-thirds) exposed paid AI access through their network traffic. The leaks included plaintext API keys, reusable tokens, or backend servers that accepted requests without any key. Attackers can exploit these to send model requests on the developer’s account, incurring charges. After three months of notification, only 28% of developers fixed the issue.
The study used a custom tool called LLMKeyLens to monitor app traffic without jailbreaking. The leaks fell into three categories: plaintext keys (54 apps), no key needed (92 apps), and replayable tokens (136 apps). For 28 plaintext-key apps, the hidden system prompt was also exposed. The leaks spanned at least ten AI providers, with OpenAI being the most common, across 13 app categories. Productivity apps were the largest group, while health and fitness apps had the highest leak rate. Finance and medical apps leaked nothing.
Stolen AI keys enable LLMjacking, where attackers run models for free. Sysdig calculated a worst-case scenario of over $46,000 per day in AI charges. One popular app with over 100,000 ratings set its access token to expire in 2125, and another’s one-hour token still worked 128 days after expiration. The researchers recommend routing AI calls through a server that checks who is calling and revoking leaked keys. They also urge AI providers to label client-side keys as unsafe and Apple to screen for this during App Store review.
CVEs: CVE-2026-20245
Companies: OpenAI, Google, Apple, Sysdig, Wake Forest University
Products: LLMKeyLens, LM-Scout, Leaky Apps
Original source: thehackernews.com