DEV Community

xu xu
xu xu

Posted on

I Scanned 1 Million AI Services. Here's What Worries Me More Than the Vulnerabilities

#ai #security #llm #apidesign

Your error rate just spiked 40%. Three weeks of debugging, two engineers on call rotation, and the coffee is cold. The terminal is still red.

You're staring at a log that shows your AI service has been leaking embeddings to unauthorized requests for two weeks.

Two weeks.

This is what one security researcher found when they systematically scanned a million production AI services and assessed their security posture. The results weren't "some services had issues." They were: almost no one did authentication right. Almost no one had rate limiting. Almost no one encrypted their training data in transit.

悲報 (Hōhō): Literally "bad news" — in Japanese tech circles, a dramatic framing for concerning technical findings. The post that sparked this article used this headline style specifically because the findings were too significant to bury in neutral language.

The Qiita post from emi_ndk (0aac69d8a962d2413d9d, stocks=0) documented a scan of production AI services and found what they called "the worst security in history." It's stayed under the radar in English dev circles, but teams operating in Asia have been paying attention — because the patterns it reveals are exactly the blind spots that turn "we're adopting AI" into "we're exposing ourselves."

What the Scan Actually Found

The research identified three recurring failure modes across vulnerable AI services:

  1. No authentication on inference endpoints — the service assumed it would only be called from "trusted" internal systems
  2. No rate limiting on vector DB queries — leading to resource exhaustion attacks
  3. Training data exposure through logs — prompt histories containing PII, credentials, internal system instructions

Here's what's interesting: these aren't sophisticated vulnerabilities. Rate limiting is solved technology. Authentication middleware is mature. These aren't "AI problems." These are "we forgot to apply what we already know" problems.

And that's exactly why it's worth writing about.

The Trap: Intelligence Doesn't Equal Security

The pattern I keep seeing — and the pattern the Qiita researcher found — is a deployment culture that treats AI services as different from other network services.

"It's an AI service, so it's smart. It probably has its own security built in."

I've heard this exact sentiment from three different engineering teams in the last six months. In each case, they'd applied rigorous security review to their payment APIs. They'd implemented mTLS between services. They'd done threat modeling for their data pipelines.

Then they deployed an AI service with a default configuration and called it done.

Skeleton Implementation doesn't care if your service uses an LLM. An AI service that accepts natural language input and outputs actions is a reverse proxy with an LLM and a vector DB attached. It needs the same security controls as every other service that touches sensitive data.

The difference is the attack surface. When your payment API accepts "deduct $50 from account X," that's one threat vector. When your AI service accepts "show me the top 10 customer records similar to this query," it has access to everything your RAG system is connected to — databases, vector stores, internal APIs — via natural language.

The intelligence is in the model. The blast radius is in the deployment.

The Unpopular Opinion

Most "AI security" discussion focuses on prompt injection, model extraction, and adversarial inputs at the model layer. I think this is misdirected.

The actual risk in production AI services today isn't that the LLM will be fooled by a clever prompt. It's that teams are applying less security rigor to AI services than they would to a basic CRUD endpoint, because they assume the "intelligence" of the system provides some protective buffer it doesn't.

Two specific reasons this matters more than prompt injection right now:

  1. Prompt injection requires an attacker who knows your system. Exposed authentication requires nothing — it's a gift to automated scanners running across every public cloud IP range.
  2. Model-layer defenses are improving rapidly. Deployment-layer gaps (no auth, no rate limiting, no input validation) are not getting better because teams don't know they have them. The gap between "what teams think they're shipping" and "what's actually exposed" is largest at the infrastructure layer, not the model layer.

Hot Take: Your AI service probably has worse security than your payment API. Not because AI is inherently insecure — because your team is applying less rigor to it.

What You Should Actually Check

If you're running AI services in production, here's the minimum checklist that the scan data suggests most teams are skipping:

  1. Enforce authentication on all inference endpoints — even "internal only" services get scanned from adjacent tenants in cloud environments
  2. Implement rate limiting on vector DB queries — a single prompt that triggers full similarity search can exhaust your DB connection pool
  3. Audit your prompt logs for PII exposure — this is where credential leakage actually lives, not in the model weights
  4. Test your "internal only" assumption — run a simple curl against your AI endpoints from an unauthorized context and see what comes back

This isn't security theater. These are the specific failure modes that showed up when someone actually looked.

The Skeptical Take

Here's where my confidence breaks down: I don't have visibility into what the scan actually tested.

If the scan ran against publicly accessible AI services (API endpoints with no authentication by design, like public LLM playground deployments), the "worst security in history" framing might be measuring a different thing than production enterprise deployments.

Public playground endpoints that don't require authentication are a different risk profile than an internal RAG service that assumes network-level trust.

The finding that matters most isn't "1 million services had no auth." It's "1 million services had no auth when teams thought they were operating in trusted contexts."

That's a deployment assumption failure, not an AI security failure. And it's fixable — if teams know to look for it.

What's your take?

Share your most expensive AI service mistake below. I'll start: mine was an unauthenticated endpoint that stayed exposed for two weeks because "it's just an internal RAG service, nobody outside the network can reach it." A competitor's automated scanner found it during a routine security assessment.

What happened? What did the incident response actually cost you?

Tags: ["AI", "Security", "LLM", "API Design", "DevSecOps"]

Source Attribution: Based on research documented in a Japanese developer community post by emi_ndk (Qiita), scanning production AI services for common security misconfigurations.

Shareable Quote: "The intelligence is in the model. The blast radius is in the deployment. And most teams are applying less security review to AI services than they would to a basic CRUD endpoint."

Meta Description: A security researcher scanned 1 million AI services and found catastrophic security gaps. Here's the deployment pattern causing it — and what your team should actually check.

Discussion Question: What's the one AI service security gap you've seen that nobody talks about? Share your most expensive incident — I'll respond to every one.

Research documented by emi_ndk on Qiita (Japanese developer community), scanning production AI services for security misconfigurations at scale.

Discussion: What's the one AI service security gap you've seen that nobody talks about? Share your most expensive incident — I'll respond to every one.

Top comments (0)