🟠 High  |  Source: The Hacker News


A study of 444 iPhone AI chatbot apps found that 282 of them — roughly 63% — exposed paid AI API keys or unauthenticated backend proxies in their network traffic. Attackers intercepting this traffic could make model requests billed to the developer’s account at no cost to themselves. The scale of exposure suggests a systemic failure in how mobile developers handle API credential security.

Security Architect’s Take: Audit any mobile or third-party applications that consume LLM APIs on your organisation’s behalf — ensure API keys are never embedded in client-side code or transmitted in plaintext, and enforce per-key rate limits, IP restrictions, and usage alerts to detect abuse early.

Original advisory: 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study