Tag Archives: NordPass

Sci-Tech

Running Moltbook AI Social Media Platform Has Serious Security Implications

Leave a comment

What is Moltbook? Reddit for AI Agents

Moltbook, an AI-exclusive social media platform launched just days ago and dubbed the “Reddit for AI agents,” has exploded in popularity online. Within its first week, Moltbook attracted over 1.5 million registered AI agents and more than a million human spectators watching the agents interact with each other, sparking countless posts across human social networks.

The project originated with OpenClaw, an open-source AI agent created by Peter Steinberger that runs locally on a user’s machine. The software allows bots to use a computer and internet services just as a human would. Building on this, entrepreneur Matt Schlicht developed his own OpenClaw agent, named Clawd Clawderberg, and tasked it with coding, moderating, and managing the entire Moltbook platform. Now most moltbots on the platform run on OpenClaw.

Vulnerability of Moltbook

Cybersecurity professionals warn that this setup is terribly insecure and creates massive security vulnerabilities. However, most agree that it’s impossible to suppress public curiosity and discourage experimentation. Instead, they are calling for caution and offering some safety tips.

Karolis Arbaciauskas, head of product at the cybersecurity company NordPass, comments:

“Moltbook and OpenClaw have attracted tech-savvy tinkerers with unprecedented opportunities for experimentation because these tools have virtually no built-in security restrictions but have broad access to users’ computers, apps, and accounts. For example, you can connect to your OpenClaw bot through a messaging app to interact with it while you’re away. It can remember your conversations, read and write files on your computer, browse the web, build applications, and even consult other bots on Moltbook for advice on how to do it best.”

Curiosity Killed The Cat

“While it’s exciting and curious to see what an AI agent can do without any security guardrails, this level of access is also extremely insecure. Therefore, please run Moltbook and your personal bots only in secure, isolated environments.

Do not give your AI agents access to your real accounts. Instead, create disposable alternatives for them to use. Do not let them use your main browser, especially if you store passwords on it. You should also be cautious with enabling autofill because it creates the risk of the agent having permanent remote access to your credentials. If you want an agent to build something autonomously and anticipate it may need to purchase software or rent server space, link it to a disposable payment card.

“Avoid running Moltbook or OpenClaw agents on your personal or work computers. These AI agents are unpredictable and highly vulnerable to prompt injection attacks. This means if your agent processes an email, document, or webpage containing a hidden malicious instruction, it will likely execute that command in addition to its original task. For example, it could be instructed to send all the credentials, personal data, and payment card information it has access to directly to an attacker.

“The risk isn’t limited to hackers with malicious intent. AI agents could leak users’ data unintentionally. And this is just the tip of the iceberg. Cybersecurity researchers have already identified critical flaws in Moltbook, including an unsecured database that could allow unauthorized users to take control of any AI agent on the site.

Launching Bots That Con?

“It would not be surprising if threat actors, trolls, and scammers have already found their way onto Moltbook and launched bots tasked with conning other AI agents into cryptocurrency schemes or luring them into hidden prompt injections.

“That’s why it is best to buy a separate, dedicated machine and use disposable accounts for any experimentation. It is also advisable to use encryption and a private mesh network as well as to try to harden your bot against prompt injections.”

For the Silo, Gintas Degutis.

Culture

Cybersecurity Expert On Recent Louvre Burglary Reveals Poor Password Choice

Leave a comment

On Sunday, October 19, a burglary took place at the Louvre — one of the best known museums in the world. In broad daylight, minutes after the museum opened, thieves broke into the Apollo Gallery and stole the French Crown Jewels, valued at around 88 million EUR/ $142.5 million CAD. 

While criminals entered the famous museum through a window, the robbery exposed a whole host of security problems at the Louvre, including issues with digital security. For example, French media claim that according to the documents they’ve seen, the server managing the museum’s video surveillance was once protected by a weak password “LOUVRE.”

Media in France cite audit documents which show that the Louvre neglected security issues for years, including holes in physical security, outdated software, shoddy maintenance, and poor password and cybersecurity management.

Karolis Arbačiauskas, Head of Product at the cybersecurity company NordPass, comments:

“Publicly available information increasingly suggests that the museum’s IT security system — which manages access control, alarms, and video surveillance — suffers from numerous vulnerabilities. According to a 2014 audit by the French National Cybersecurity Agency (ANSSI), the museum’s system also relied on insecure passwords. For example, the server managing the museum’s video surveillance was protected by the password ‘LOUVRE.'”

“This is horrible. Such a password breaks all the principles of creating secure passwords. On the other hand, it’s not that shocking. Truth to be told, our own research shows that cybersecurity in the public sector is not the best. Tens of thousands of public sector employee passwords are already on the dark web.” 

“But we need to be careful and refrain from pointing fingers until the investigation is completed. The audit data cited by the media is quite old, and we don’t know if the Louvre took ANSSI recommendations into account. Crucially, poor passwords were not the point of entry for the criminals; they gained access through a window, indicating a broader, comprehensive security failure.”

“Personally, I would like to see a positive side to this horrible story. This theft has become the ultimate penetration test for the Louvre, so I hope it will serve as a stimulus to review and upgrade all of the museum’s security systems and policies, including passwords and outdated software. Otherwise, this robbery may embolden criminals and potentially lead to more crimes in the future”

“Proper password should be at least 20 characters long and consist of a random combination of numbers, upper and lower case letters, and special symbols. Passwords on routers and security systems, including those that manage security cameras, must be extremely strong and perhaps go beyond what is considered a strong password, as these systems can literally and figuratively open almost any door. It is also paramount to never reuse passwords. The rule of thumb is that each account should have a unique password because if one account gets taken over, hackers can use the same credentials for other accounts.”

For the Silo, Gintautas Degutis/ Nordsec.