New Study Uncovers Text-to-SQL Model Vulnerabilities Allowing Data Theft and DoS Attacks
Jan 09, 2023
Database Security / PLM Framework
A group of academics has demonstrated novel attacks that leverage Text-to-SQL models to produce malicious code that could enable adversaries to glean sensitive information and stage denial-of-service (DoS) attacks. "To better interact with users, a wide range of database applications employ AI techniques that can translate human questions into SQL queries (namely Text-to-SQL )," Xutan Peng , a researcher at the University of Sheffield, told The Hacker News. "We found that by asking some specially designed questions, crackers can fool Text-to-SQL models to produce malicious code. As such code is automatically executed on the database, the consequence can be pretty severe (e.g., data breaches and DoS attacks)." The findings , which were validated against two commercial solutions BAIDU-UNIT and AI2sql , mark the first empirical instance where natural language processing (NLP) models have been exploited as an attack vector in the wild. The black box ...
