API Key Leakage (I was wrong)

  • epetros

    (@epetros)


    3 years, 2 months ago

    This is a great plugin, but I am afraid that somehow it exposes your API key. (I was wrong as the reply show).

    I have noticed every time I put a new key, a number of bot conversations start popping in my Discussions page consuming my credits, especially with IPs from Russia.

    That said, I can’t yet say for sure if is just my website compromised or the plugin has a security hole, otherwise great plugin.

    • This topic was modified 3 years, 2 months ago by epetros.
    • This topic was modified 3 years, 2 months ago by epetros.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Jordy Meow

    (@tigroumeow)

    3 years, 2 months ago

    Hi @epetros,

    AI Engine does not expose your API Key, don’t worry about this 🙂 If your key was exposed, the hackers would simply use it directly, and you wouldn’t be able to see any discussions or anything. Your key is safe.

    What’s going on here is an attack that focuses specifically the plugin and/or OpenAI. They simply have bots going on your site and spamming the bot with random requests.

    Please try not to review the plugin solely on this issue, as it’s a reward for them; basically, those spammers want to damage the plugin and/or OpenAI and people using those services.

    When an issue like this occurs, come to me right away, and if possible, in private (as it is better if they don’t see this).

    Now, for the solutions:

    I think hosting services and security services like Cloudflare will prevent this naturally very soon, as they do with other attacks. It’s just a matter of time.

    Meanwhile, you can use this code to stop it:

    add_filter( 'mwai_ai_allowed', function ( $allowed, $query ) {
  $forbidden_words = array( 'вальгусной', 'стопы', 'и', 'от', 'лечения', 'узнайте', 'как', 'деформации', 'методы', 'нашей', 'рекомендации', 'причины', 'профессионалов', 'советы', 'избавьтесь', 'способы', 'получите', 'все', 'для', 'от чего' );
  foreach ( $forbidden_words as $word ) {
    if ( stripos( $query->prompt, $word ) !== false ) {
      sleep(10);
      return "Nope!";
    }
  }
  return $allowed;
}, 10, 2 );

    You can add this code in your functions.php, or through Code Snippets (https://meowapps.com/add-custom-php-code-wordpress/). You can also join my Discord Channel (https://discord.gg/bHDGh38), we discuss about this kind of issues as soon as they occur 🙂

    • This reply was modified 3 years, 2 months ago by Jordy Meow.
    • This reply was modified 3 years, 2 months ago by Jordy Meow.
    Thread Starter epetros

    (@epetros)

    3 years, 2 months ago

    Thanks for the prompt reply,

    My apologies if I did not approach the issue the right way, adding one star and changing my review.

    I think it would be better if the plugin could hide the context (prompt) as well, cause that is shown if I choose to View Page Source in my browser.

    Thanks for the great plugin.

    Plugin Author Jordy Meow

    (@tigroumeow)

    3 years, 2 months ago

    I think it would be better if the plugin could hide the context (prompt) as well, cause that is shown if I choose to View Page Source in my browser.

    Completely agree 🙂 I am actually working on this right now, and the whole config will be on the server-side. There will be nothing left on the client-side.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘API Key Leakage (I was wrong)’ is closed to new replies.