A researcher with the handle “single mode” has demonstrated how client-side code manipulation can bypass access controls and gain unauthorized access to Grok-3, an AI model integrated into Elon Musk’s X platform. The script modifies the browser’s window object to search for references to “grok-2a,” a lower-tier AI model, and replaces them with “grok-3,” effectively tricking the system into granting access to the more advanced AI model. Once the script is executed, subsequent API requests from the user’s browser include “grok-3” as the model identifier, enabling access to its exclusive features. Released on February 17, 2025, Grok-3 is referred to as “the smartest AI on Earth.” It features enhanced reasoning, creativity, and computational capabilities that surpass those of its predecessor, Grok-2, as well as many of its competitors. This approach leaves sensitive features like Grok-3 vulnerable to exploitation by anyone with basic technical knowledge and access to developer tools, according to Dark-Marc’s post. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This attack exposes a serious security flaw categorized under Broken Access Control, one of the most critical vulnerabilities in modern web applications. By targeting how the platform assigns AI model identifiers, the script circumvents intended restrictions that should have been enforced server-side. Instead of enforcing access restrictions on the server where they are more secure the X platform relies on client-side controls, which are inherently easier to manipulate.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Feb 2025 09:45:17 +0000