Skip to main content

We disclosed this #hackerone report against #curl when someone asked Bard to find a vulnerability, and it hallucinated together something:

https://hackerone.com/reports/2199174


curl disclosed on HackerOne: [Critical] Curl CVE-2023-38545...

## Summary: Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet ## Steps To Reproduce: To replicate the issue, I have searched in the Bard about this vulnerability. It...
HackerOne
#curl #hackerone
in reply to daniel:// stenberg://

Brodie Robertson
Brodie Robertson
I have 0 doubts that this will become a more and more common occurence
in reply to Brodie Robertson

ROTOPE~1 :yell:
ROTOPE~1 :yell:
@BrodieOnLinux the only thing that will change is that these chucklefucks aren't going to say that it came from a bullshit-generator.
@Brodie Robertson
in reply to daniel:// stenberg://

Dan Bergh Johnsson
Dan Bergh Johnsson
This is wonderfully bizarre. As I understand it, Bard has had a hallucination and dreamt up a leak before public disclosure - including the details of not-yet-released material.
Makes me wonder: how off are these hallucinations? Are they anywhere closely resembling the truth? Or partial? Or in the correct region?
in reply to Dan Bergh Johnsson

Brodie Robertson
Brodie Robertson
@danbjson This seems to be using the bogus CVE 2020-19909 as a base and then synthesizing fake functions around it
@Dan Bergh Johnsson
in reply to Brodie Robertson

daniel:// stenberg://
daniel:// stenberg://
@BrodieOnLinux @danbjson exactly. It seems "inspired" mostly by 19909, and then adds a mishmash of weirdo inconsitent details. The mention of 38545 and 8.4.0 indicate it actually knows at least they exist. Possibly because they were usedi in the prompt?
@Brodie Robertson @Dan Bergh Johnsson

Lo, thar be cookies on this site to keep track of your login. By clicking 'okay', you are CONSENTING to this.