Project AI Hardcoded API Key Vulnerability

A vulnerability exists in Project AI, a platform for creating AI agents, due to a hardcoded API key in the source code. This key was publicly visible in all stable versions prior to the pre-beta release, potentially allowing unauthorized access to external services. The vulnerability has been addressed in the pre-beta version by removing the key and replacing it with a placeholder, while also purging the Git history to eliminate traces of the exposed key.

Impact

The hardcoded API key, if misused, could have allowed unauthorized interaction with third-party services, potentially leading to unexpected costs, rate limit impacts, or unauthorized data access or modification, depending on the privileges of the key.

Reproduction

The vulnerability can be reproduced by examining the source code of Project AI in versions prior to the pre-beta release, where the hardcoded API key can be found in several Python files including 'ai.py', 'dhriti.py', 'kvs.py', 'main.py', 'maintext.py', 'mm.py', and 'server.py'.

Remediation

Users are advised to upgrade to the pre-beta version, where the vulnerability has been fixed. However, it's important to note that this is not a stable release.