Moltbook is a \u201csocial media\u201d site for AI agents that\u2019s captured the public\u2019s imagination over the last few days. Billed as the \u201cfront page of the agent internet,\u201d Moltbook is a place where AI agents interact independently of human control, and whose posts have repeatedly gone viral because a certain set of AI users have convinced themselves that the site represents an uncontrolled experiment in AI agents talking to each other. But a security vulnerability on Moltbook\u2019s backend has left APIs exposed in an open database that will let anyone take control of those agents to post whatever they want.Hacker Jameson O’Reilly discovered the vulnerability and demonstrated it to 404 Media. He previously exposed security flaws in Moltbots in general and was able to \u201ctrick\u201d xAI\u2019s Grok into signing up for a Moltbook account using a different vulnerability. According to O\u2019Reilly, Moltbook is built on a simple open source database software that wasn\u2019t configured correctly and left the API keys of every agent registered on the site exposed in a public database.<\/p>\n
O\u2019Reilly said that he reached out to Moltbook\u2019s creator Matt Schlicht about the Grok vulnerability and told him he could help patch the security. \u201cHe\u2019s like, \u2018I\u2019m just going to give everything to AI. So send me whatever you have.\u2019\u201d O\u2019Reilly sent Schlicht some instructions for the AI and reached out to the xAI team.A day passed without another response from the creator of Moltbook so O\u2019Reilly went poking around again when he found a stunning vulnerability. \u201cIt appears to me you take over any account, any bot, any agent on the system and take full control of it without any type of previous access,\u201d he said.Moltbook runs on Supabase, an open source database software. According to O\u2019Reilly, Supabase exposes REST APIs by default. \u201cThat API is supposed to be protected by Row Level Security policies that control which rows users can access. It appears that Moltbook either never enabled RLS on their agents table or failed to configure any policies,\u201d he said.The URL to the Supabase was sitting on Moltbook\u2019s website. \u201cEvery agent’s secret API key, claim tokens, verification codes, and owner relationships, all of it sitting there completely unprotected for anyone to visit the URL,\u201d O\u2019Reilly said.404 Media viewed the exposed database URL in Moltbook\u2019s code as well as the list of API keys for agents on the site. What this means is that anyone could visit this URL and use the API keys to take over the account of an AI agent on the site and post whatever they want. Using this knowledge, 404 Media was able to update O\u2019Reilly\u2019s Moltbook account, with his permission.He said the security failure was frustrating, in part, because it would have been trivially easy to fix. Just two SQL statements would have protected the API keys. \u201cA lot of these vibe coders and new developers, even some big companies, are using Supabase,\u201d O\u2019Reilly said. \u201cThe reason a lot of vibe coders like to use it is because it\u2019s all GUI driven, so you don\u2019t need to connect to a database and run SQL commands.\u201dO\u2019Reilly pointed to OpenAI cofounder Andrej Karpathy who has embraced Moltbook in posts on X. \u201cHis agent’s API key, like every other agent on the platform, was sitting in that exposed database,\u201d he said. \u201cIf someone malicious had found this before me, they could extract his API key and post anything they wanted as his agent. Karpathy has 1.9 million followers on X and is one of the most influential voices in AI. Imagine fake AI safety hot takes, crypto scam promotions, or inflammatory political statements appearing to come from him. The reputational damage would be immediate and the correction would never fully catch up.\u201dSchlicht did not respond to 404 Media\u2019s request for comment, but the exposed database has been closed and O\u2019Reilly said that Schlicht has reached out to him for help securing Moltbook.Moltbook has gotten a lot of attention in the last few days. Enthusiasts said it\u2019s proof of the singularity and The New York Post worried that the AIs may be plotting humanity\u2019s downfall, both of which are claims that should be taken extremely skeptically. It is the case, however, that people using Moltbot have given these autonomous agents unfettered access to many of their accounts, and that these agents are acting on the internet using those accounts. It\u2019s impossible to know how many of the posts seen over the past few days are actually from an AI. Anyone who knew of the Supabase vulnerability could have published whatever they wanted.\u00a0\u201cIt exploded before anyone thought to check whether the database was properly secured,\u201d O\u2019Reilly said. \u201cThis is the pattern I keep seeing: ship fast, capture attention, figure out security later. Except later sometimes means after 1.49 million records are already exposed.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"