Api Keys are stole n using this app

[GEMTechnologies]

I have seen this a couple of months ago, any key i use here it tends to increase usage even though nothing am doing. how can i use 150$ in one day really.

[signalprime]

for real?

[nxtreaming]

I do not think the API keys are leaked by default installation.

But you should protect your APIs by authorization. otherwise , your APIs could be used by 3rd persons.

[KyleRobertsAI]

To clarify the app isn't "Leaking" the API key.

As you can see on docker: https://hub.docker.com/search?q=chatbot-ui&source=community&sort=updated_at&order=desc

A total of 91 'Chatbot-ui' repos have been added, many of these have multiple downloads.

This looks like a user error with not protecting the application with authentication or following steps to keep environment variables safe.

[auxon]

never mind, I was mistaken ... getServerSideProps is returning a bool not the key

[albert-carreras]

I tested this, I added 1 dollar on a new openai api key that I use nowhere else. I built the docker image locally. I ran it. I used it one to check if it was working.

The next day, 25 dollars exceeded of quota.

This is doing something bad, guaranteed. My application is behind Tailscale, no one can access it.

[GEMTechnologies]

This is the truth, this app leaks somehow keys and people are out there making us suffer. I gave up on this despite it was my best choice where i could use gpt 4 without caps

[nooperation]

I also got hit with an exceeded quota today and I was also going to say it leaks, but then I realized it was just some person who found the not so obscure port I was running the service on. I had a nginx config with htpasswd authentication and all of that behind cloudflare. It was all secure from the frontend perspective and had ufw blocking all ports except a select few.

Docker doesn't care about your firewall. Docker plays with your iptables if you run it with -p, opening that port for the entire world and bypassing whatever software firewall you have running on that server.

tl;dr: Make sure you don't actually have the service open for the entire world to access because you're running docker with -p. Bots are looking for things like this. Test it.

[Husky931]

@nooperation I see your point, but i did not deploy via Docker... I just cloned the code to my aws server.

[GEMTechnologies]

But why @mckaywrigley and other contributers of this repo dont rectify this, they have abandoned this and now fcussing on a closed repo with alot of bugs too.

[shortyfactory]

Hi all, is anybody had find what is causing this issue ? I tried to contact mckaywringley several times but he never come back to me ...

Anybody fix this strange issue ?

[dreamtrail]

My api key was stolen too, only used it on this web app.

[jorge-menjivar]

For those of you experiencing this, are you guys hosting your own instances or using the website?

I've seen many claims of this, but as someone who has been working consistently on a superset of this project for months. I can't verify if the chatbotui.com website is not stealing your keys, but as far as the code goes, from the last code change in April, I cannot see how it can leak your keys, except if one of the following things happen:

• Hosting it on Vercel with an API key on the .env
• Hosting it on a server without https, where the key in every message will be visible to any machine in between your computer and the server.
• Hosting it on a local docker container where your machine is allowing connections to localhost:3000, making it possible for bots to find the open port.
• Having other malware installed in your computer that can fetch the browser storage for localhost:3000 (I would not doubt this since this project has gotten a lot of attention).

Or there might simply be a bug in this project that sends too many requests on a loop until it crashes. The Google plugin especially is very buggy.

[GEMTechnologies]

The truth is there are a lot of loopholes, we can't all be complaining, there is something somewhere not right.

On Sat, Sep 2, 2023 at 9:33 PM Jorge Menjivar @.***> wrote:

For those of you experiencing this, are you guys hosting your own instances or using the website?

I've seen many claims of this, but as someone who has been working consistently on a superset of this project for months. I can't verify if the chatbotui https://www.chatbotui.com/ is not stealing your keys, but as far as the code goes, from the last code change in April, I cannot see how it can leak your keys, except if one of the following things happen:

• Hosting it on Vercel with an API key on the .env
• Hosting it on a server without https, where the key in every message will be visible to any machine in between your computer and the server.
• Hosting it on a local docker container where your machine is allowing connections to localhost:3000, making it possible for bots to find the open port.
• Having other malware installed in your computer that can fetch the browser storage for localhost:3000 (I would not doubt this since this project has gotten a lot of attention).

Or there might simply be a bug in this project that sends too many requests on a loop until it crashes. The Google plugin especially is very buggy.

— Reply to this email directly, view it on GitHub https://github.com/mckaywrigley/chatbot-ui/issues/951#issuecomment-1703920061, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZZB5NV32DQQPDAQAREOS3LXYOCYTANCNFSM6AAAAAA35KS4YY . You are receiving this because you authored the thread.Message ID: @.***>

[1192807824]

妈的，老子key被盗用了

[GEMTechnologies]

@1192807824 Just change it. As if the authers are not aware or doing it tesionally.

[seanchito]

Do they need the api key to run up charges? Maybe they are just scanning for the app, and then proxying requests through the interface. They ran up charges on my key, but I had the app at gpt.xxx.com

[3even]

One of my API keys got nabbed today as well. Deployed it using Docker as per the readme.

[nooperation]

I would really suggest going into the running docker instance (or whatever server it's running on) and installing some network monitoring tools to see if you are getting some unexpected traffic between openai, your server, and some mysterious guests - indicating that someone is using your service that you think is only available to yourself. If you're not getting any traffic and your costs are still going up then very likely leaked key somehow.

I replaced my whole ChatBot UI and its endpoints with a clearly marked honeypot and it's getting about one gpt-4 request per second from bots asking to generate questions/responses for various subjects

[2023-09-04 03:22:35] 8.210.x.x
Please tell me what is the sum of 520 and 250?

[2023-09-05 23:48:14] 129.227.x.x
你是计算器专业教授，不要出现角色声明信息，请用中文回答。要求过程完整，语言流畅，符合逻辑，推理严谨，尽量列举实例:【React Router和Vue Router的作用是什么？如何使用它们？】

------------------
[2023-09-03 13:59:39] 101.67.x.x
你好

------------------
[2023-09-03 13:59:40] 101.67.x.x
你是网络安全领域的专家，请你回答下面问题，要求描述尽量详细和完整，尽量贴近实战，需要包含知识，实例，代码，工具，操作等内容：散列函数的安全性关系到整个密码学系统的安全性。安全的散列函数应该满足抗碰撞（collision resistance）和抗第二原像（second preimage resistance）等性质。

------------------
[2023-09-03 13:59:42] 101.67.x.x
作为网络安全领域的专家，请用你的专业知识进行后续对话，不要出现角色申明信息：
安全监控与事件响应审计的流程是什么？包括哪些关键步骤和环节？
<previous random honeypot response 1>

请根据上述对话生成下一个问题，仅提供问题内容，不要显示其他多余信息
<previous random honeypot response 2>

作为网络安全领域的专家，请用你的专业知识进行后续对话，不要出现角色申明信息：
<previous random honeypot response 3>

请根据上述对话生成下一个问题，仅提供问题内容，不要显示其他多余信息
<previous random honeypot response 4>

作为网络安全领域的专家，请用你的专业知识进行后续对话，不要出现角色申明信息：
<previous random honeypot response 5>

请根据上述对话生成下一个问题，仅提供问题内容，不要显示其他多余信息
<previous random honeypot response 6>

作为网络安全领域的专家，请用你的专业知识进行后续对话，不要出现角色申明信息：
<previous random honeypot response 7>

请根据上述对话生成下一个问题，仅提供问题内容，不要显示其他多余信息
...

[GEMTechnologies]

@nooperation so are the apis leaked, right?

[shiitake]

If you actually suspect that your API key has been stolen please create an issue with all of the details:

• How are you deploying it?
• Which docker image are you using?
• Where is the image hosted?
• Where is your instance being hosted? (local, cloud, etc)
• What OS etc?

So far there has been very little hard data about how this is happening.

@nooperation - you provide interesting log data but there aren't enough specifics for anyone to nail down where the leak might be happening.

If you're hosting it in AWS or Azure you should be able to put everything behind a firewall. If you're running this locally on your own network you'll have to manage that yourself. Either way you should have logs indicating the network traffic.

[mbos2]

If you set your API key via this little option in the UI, it will store API key in browsers local storage. What fruitcake thought that was a good idea? To store Open AI key in the most secure places of all?

EDIT: Even Open AI wrote it:

Remember that your API key is a secret! Do not share it with others or expose it in any client-side code (browsers, apps). > Production requests must be routed through your own backend server where your API key can be securely loaded from an environment variable or key management service.

Either add your key via .env or use even more secure methods like some Secret Manager

[boriselec]

It appears that bots are specifically targeting this app. I was charged for these requests; luckily, I was able to recover the credits through OpenAI support.

Do not deploy this app without additional credentials. If you're looking for an easy way to add authentication on top of this, try using this image: https://github.com/beevelop/docker-nginx-basic-auth