GPT-4 Autonomously Hacks Zero-Day Security Flaws with 53% Success Rate – Cornell Study

Share post:

Researchers have successfully used GPT-4 to autonomously hack more than half of their test websites using zero-day exploits, marking a significant milestone in AI capabilities and cybersecurity risks.

A few months ago, a research team demonstrated GPT-4’s ability to autonomously exploit one-day vulnerabilities—security flaws that are known but have not yet been patched. Given the Common Vulnerabilities and Exposures (CVE) list, GPT-4 could exploit 87% of critical-severity CVEs on its own.

This week, the same researchers published a follow-up study showing that GPT-4 can now exploit zero-day vulnerabilities—previously unknown security flaws—with a 53% success rate. The team used a method called Hierarchical Planning with Task-Specific Agents (HPTSA), which involves a “planning agent” overseeing the process and deploying multiple “subagents” for specific tasks. This hierarchical approach mimics a project management system, where the planning agent acts like a boss, coordinating subagents to handle specific tasks.

When benchmarked against 15 real-world web-focused vulnerabilities, HPTSA proved 550% more efficient than a single LLM in exploiting vulnerabilities, successfully hacking 8 out of 15 zero-day vulnerabilities. In contrast, a solo LLM effort only managed to hack 3 out of the 15 vulnerabilities.

This development raises significant cybersecurity concerns, as the ability to autonomously exploit zero-day vulnerabilities could be used maliciously. Daniel Kang, one of the researchers, emphasized that while GPT-4 in chatbot mode cannot understand or exploit vulnerabilities, the capabilities demonstrated in this study highlight the potential risks.

In practical terms, the method involves the planning agent launching subagents to tackle different parts of the task, reducing the workload on any single agent. This technique mirrors how Cognition Labs uses its Devin AI for software development, planning out jobs and spawning specialist “employees” as needed.

Source: Cornell University 


Related articles

How your smart TV is watching you. Hashtag Trending for Monday, June 17th, 2024

Hashtag Trending is brought you with the generous sponsorship of Zoho Canada. We thank them for making it...

London hospitals cancel over 800 operations after ransomware attack

NHS England disclosed today that a recent ransomware attack on Synnovis has led to the cancellation of hundreds...

Microsoft cancels universal Recall release in favor of Windows Insider preview

Microsoft has decided to cancel the wide release of Recall, the controversial tool for Copilot+ PCs, and instead...

OpenAI’s revenue soars with subscription-based ChatGPT and developer integrations

There are reports that OpenAI has been been experiencing impressive financial growth. The Information reported that the company's...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways