Full Report
Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic. In many cases, the path in was visible just by watching what the app sent: a plaintext API key, a reusable token, or a backend server that accepted requests with no key at all. Whoever grabs it can send model requests on the developer's account,
Analysis Summary
# Vulnerability: Leaked LLM API Credentials in iOS Chatbot Applications
## CVE Details
- **CVE ID**: Not yet assigned (Research-based discovery)
- **CVSS Score**: Estimated 7.5 - 9.1 (High/Critical)
- **CWE**:
- CWE-798: Use of Hard-coded Credentials
- CWE-522: Insufficiently Protected Credentials
- CWE-922: Insecure Storage of Sensitive Information
## Affected Systems
- **Products**: 282 AI chatbot applications for iOS.
- **Versions**: Targeted various versions available on the US App Store (late 2025).
- **Configurations**:
- Apps directly embedding API keys in client-side code.
- Apps utilizing insecure backend proxies or open relays.
- Apps using improperly configured Bearer tokens or Session tokens.
## Vulnerability Description
Research conducted by Wake Forest University using the **LLMKeyLens** tool revealed that nearly two-thirds of tested AI apps leak credentials via network traffic. The flaws fall into three technical categories:
1. **Plaintext Key Exposure**: API keys (e.g., OpenAI, Google Gemini) are sent in the headers or body of the request, visible to anyone monitoring network traffic.
2. **Unauthenticated Proxies/Open Relays**: Backend servers accept requests without verifying the identity of the app/user, allowing external actors to route traffic through the developer's paid account.
3. **Insecure Token Management**: Developers use temporary tokens that are either "replayable" (valid for multiple requests/users) or have absurdly long expiration dates (e.g., set to expire in the year 2125).
## Exploitation
- **Status**: PoC available (via LLMKeyLens research); exploited in the wild via "LLMjacking" schemes.
- **Complexity**: Low
- **Attack Vector**: Network (Can be captured via Man-in-the-Middle (MitM) or simple traffic analysis tools without requiring a jailbroken device).
## Impact
- **Confidentiality**: High (Exposure of API keys and, in some cases, hidden system prompts/proprietary instructions).
- **Integrity**: Medium (Attackers can use the account to generate content, potentially affecting usage-based metrics).
- **Availability**: High (Attackers can deplete the developer's API credit balance, causing service outages for legitimate users).
- **Financial**: Significant (Potential charges of up to $46,000/day per stolen credential).
## Remediation
### Patches
- Developers must release updated versions that remove client-side API keys.
- **Current Status**: Only 28% of notified developers have successfully patched the flaw.
### Workarounds
- **Architecture Shift**: Never store API keys in the app binary. Route all AI calls through a secure intermediary backend server.
- **Server-Side Validation**: Implement strict authentication and rate-limiting on backend proxies to ensure requests come only from legitimate, authenticated users.
- **Key Revocation**: Immediately rotate and revoke any API keys that have been exposed in previous app versions.
## Detection
- **Indicators of Compromise**: Unexplained spikes in LLM API usage/billing; requests originating from unusual geographic locations or IP addresses.
- **Detection Methods**:
- **Traffic Monitoring**: Use tools like Burp Suite or Charles Proxy to inspect outgoing app traffic for headers like `Authorization: Bearer [API_KEY]`.
- **LLMKeyLens**: Specialized research tool used to identify credential leakage in transit.
## References
- Research Study (Wake Forest University): hxxps://arxiv[.]org/abs/2606.12212
- Sysdig LLMjacking Analysis: hxxps://www[.]sysdig[.]com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack
- Original Article: hxxps://thehackernews[.]com/2026/06/282-ios-apps-found-leaking-llm-api-keys.html