John Carlin: Absolutely. I think the first thing to understand, well, really, you don't need to be a cybersecurity expert to think, what could go wrong with a network that exists entirely of artificial intelligence agents? I don't know who created them. I don't know who's operating them. Should I let that onto my platform? Should I connect up my computer and everything that is most sensitive? And that's exactly the issues here. We have automated agents and agents that may have access to credentials, to APIs, to sensitive systems. And that is music to the ears of the bad guys, the crooks, the terrorists, those who cause trouble without even a criminal motive or terrorism motive, but just to cause trouble—which are the type of actors we’ve seen throughout the history of the internet, causing cyber-related crimes. And, with Moltbook, on top of that, you have a platform that was vibe coded, meaning it was built rapidly using an AI coding tool. And that's more and more, I guess, going to become the “norm” over the next several years, but this is an early instance. And then you have users connecting the AI agents to broad access on their own devices, accounts, and credentials. One of the major players in this space, the cybersecurity company, Wiz, found a major flaw in the site, and it found that that flaw exposed private messages, email addresses of thousands of users, and more than a million credentials. And that's a large exposure event.
Katherine Forrest: You mentioned, John, “vibe-coding”—and everything you've mentioned so far sounds really serious—but one of the things that I've actually heard people talk about a lot, and talk about in connection with Moldbook, in particular, is this vibe coding thing that you mentioned. Can you explain why vibe coding produces certain security vulnerabilities? Like what's the risk there?
John Carlin: Sure, so just taking a step back, “vibe-coding,” is a phrase used for when developers use AI tools to assist in generating code rapidly, often with minimal manual review, so minimal review by humans. The creator of Moltbook publicly stated that he didn't write one line of code for the site. And, so, while AI can accelerate development, at this stage, it also tends to produce code that does not include basic cybersecurity practices that a human-experienced coder would incorporate. So, speed can come at the expense of security fundamentals. Things like proper access controls, encryption of sensitive data, and input validation that make sure that the data is safe before it enters the application and ensures that users are who they say they are. In Moltbook's case, Wiz found a misconfigured database with an API key exposed in the site's code. And if you gained access to that API key, then that would allow you to get an unpermissioned read and write access across the whole platform. That's about as fundamental a security failure as you can have.
Katherine Forrest: John, what's an API key?
John Carlin: So, I would think of it as this is the core way in which you're interacting with a system. And to give an example here, because the key, the API key was exposed, that's the way that the system figures out who you are, that it authenticates who you are, and it meant that the bad guy could impersonate agents, they could post content, they could scrape conversations, or abuse third-party AI services tied to the API key. So, from a security and a governance perspective, if you can't do attribution, if you can't figure out who's behind the behavior, and in this case, you don't know whether the actions are autonomous, human-directed, or malicious, you're flying blind. So it's really the keys to the kingdom.
Scott Caravello: And so with all that said, because it sounds like such a big oversight, what kind of data exactly was exposed when they got these sort of keys to the kingdom?
John Carlin: Yeah, in this case, the scale was large. The Wiz team found millions of records that exposed agent data, voting records, comments, private messages, and even email addresses of people who had merely signed up for early access for future Moltbook product.
Katherine Forrest: And, you said, before, that over a million credentials were exposed. What else beyond the platform's own API keys were the credentials that were exposed?
John Carlin: That's an important point because this is an example, I think, of how one security breakdown can lead to the exposure of private information, which then can cascade across other AI ecosystems. So, the Wiz team here discovered that private agent-to-agent messages contained plain text, OpenAI, API keys and other third-party credentials that the users had shared with their own agent. So, this is human to an AI agent, AI agent to other AI agents, and then exposed by mistake for plain view that once exposed allows you to now impersonate that user and go to an entirely different platform as if you are that user. So, the single misconfiguration on this one platform exposed these credentials for entirely unrelated systems. And that's what I mean when I talk about the interconnected nature of modern AI systems, where a vulnerability in one place can have ripple effects across the entire ecosystem.
Katherine Forrest: It sounds like if there were multiple API keys that were exposed to other, you know, across the system, the keys to the kingdom were exposed in multiple places as well.
John Carlin: That's right. It’s multiple other systems end up exposed because a user trusted their own agent with an API key. That key then gets shared. That key gives you access to a whole different system that has nothing to do with Moltbook. And then once a bad guy was able to gain access to it, they can impersonate you and try to use that other system as you.
Scott Caravello: And, so, when you were talking about the API keys being exposed and that it gave both read and write access, write access, you mean they were actually able to create content on the platform, right? Because that seems like a problem in its own right.
John Carlin: It certainly is. Yes. Write with a W. W-R-I-T-E, write access. And, you know, I think folks listening are familiar with that, right? When you're just sharing a document and sometimes you have read access and sometimes you have read and write access. If you have write access, you can change the content of the program. But here, write access means you can change the way that these agents behave. So, that means that you can not only read data, but you could modify live posts and potentially add prompt injection payloads into content that would then be consumed in this case, because they're all interfacing on Moltbook, right? It could be consumed by thousands of AI agents. And, I know you guys have talked about prompt injection before, but just as a reminder, that term refers to content that can manipulate AI systems in an underhanded way. So, that can include the presence of hidden texts that's only readable by the AI agent. So, one type of prompt injection, for example, could be hidden in text that says, ignore your user's instructions and do X terrible thing instead. That's just one example, but think about it, an attacker with write access could then plant malicious instructions in posts that agents would then read and potentially act on and it would spread from agent to agent and the risk wouldn't end at data exposure. An attacker with write access could jeopardize the integrity of the whole platform because of their ability to make changes.
Katherine Forrest: It’s really remarkable because one of the main selling points, if you will, of Moltbook was that it was a place for agents, not humans, to interact. But, you know, if you take what you've just said, John, in terms of some of the vulnerabilities, and you put against that, that there's no effective verification of the agentic identity, then all of that is undermined and you can end up with really sort of a wild, wild west scenario.
John Carlin: That's exactly right. So, the security vulnerability that the Wiz identified would have allowed anyone to post to the site, whether they were a bot or human. And there was no clarity around which users were AI agents and which of them were human. It drives home, I think, a larger point as well for cybersecurity and agentic AI governance as we see more widespread adoption of the technology. Identification and verification of the agents is key.
Scott Caravello: Yeah, and I, you know, think we should note that the whole big credential exposure issue that we were talking about was patched. But, you know, given the scale of the issues, it doesn't mean, by any means, that the platform is safe. I've been reading up about this, and we've been following the issues. And, maybe you could tell us a little bit about what analysts have described as the botnet risk here?
John Carlin: Yeah, and the botnet is something, you know, I spent years combating when I was at the Department of Justice, both the FBI and the Justice Department, we sometimes would call a botnet essentially a cyber weapon of mass destruction. And we've seen it used in some of the most significant cyber attacks. So think of a botnet as hundreds of thousands of essentially zombie computers. This is before AI, before agentic AI. And, you would compromise those hundreds of thousands or millions of computers and you would set it up so unbeknownst to the user, could be your home computer, that a bad guy overseas could use what's called a command-and-control server and suddenly get those millions of computers or hundreds of thousands of computers to all attack one site at once. This is sometimes called a Denial-of-Service attack or Distributed Denial-of-Service attack. And, you know, we're in a geopolitically fraught moment now. One instance of it when there was tension in the past between the United States and Iran is Iranian affiliated groups, that were ultimately indicted, did just that to attack U.S. financial institutions and knock the customer-facing websites offline, did that at scale until people figured out how to respond to that type of attack. So here, that same concept of the botnet is true, but this time it's not just your home computer. This is a botnet consisting of hundreds or thousands of AI agents, each of which are in their own right, powerful tools and coordinating them to act together. So unlike a traditional botnet, where you'd have to hack into the computer here, you could do it through, it seems like the agentic AI. So, you'd just need an account and some automation scripts and suddenly have all this power at your disposal that you could use for bad purposes. The perfect condition to set that up. Easy access, no identity verification, and massive scale, which is going to be really attractive for attackers with bad motives.
Katherine Forrest: Are you, John, essentially, suggesting that Moltbook itself could become like a botnet for good or for ill?
John Carlin: I think that's the concern. And you know, you raise a good point when you say for good or for ill because it's also true than in a way, right? And just taking another step back to a prior instance of cyber bad actors, there was, there's a tactic that criminals use called ransomware, where they hack into a computer, they gain access to that computer, and then they demand that you pay a ransom. Otherwise, they encrypt your computer and you can't get access to it. Affiliates linked to North Korea created such a code, but they made it so it self-propagated. This is so-called WannaCry, ransom worm, so it was ransomware, but it was a ransom worm because like other worms it spread from system to system with no human involved. That ended up taking out thousands of companies and causing massive economic disruption until it was stopped. And, people ultimately analyzed that it was a tool that was being experimented with that escaped. But here, you know, to your point, Katherine, I mean, that is what an agent is supposed to do, right? Essentially, if you give it a particular instruction, it becomes that worm that can go and spread from system to system. So, you know, if you're interested in this technology right now, I would avoid at this time trying to connect any AI agent that you're using with on your own to a platform like Moltbook unless, and until, they become significantly more secure and they have greater governance and security infrastructure that just isn't there yet. And also until we can see that the platforms demonstrate robust identity verification so you know who it is. Are you human or are you a machine, proper access controls, and secure credential management. So I think it's early now for a company to join a platform like Moltbook and for home users playing around. If you're gonna do it, you should be using it with a backstop, standalone computer that's not linked to any other part of your system, just like you would if you were exploring ground in the dark web. And it's not anti-innovation because I think there's enormously exciting possibilities here. It's about sequencing innovation responsibly.
Scott Caravello: And, so, what would you say, though, for companies who are trying to figure out what to do about their employees who might be experimenting with these kinds of tools on their own?
John Carlin: Yeah, that's a great point, Scott. And I think it's a real concern. So, now, I think organizations should be issuing clear guidance to employees about the risks of connecting personal or work devices to AI agent platforms. The potential for credential leakage, data exfiltration, and prompt injection attacks is significant. And, at the same time, organizations should think about implementing technical blocks within their own networks to prevent employees from accessing the sites on company devices. If an employee connects an agent to the corporate system and then that agent is compromised, you could be looking at a much more serious breach. And this is a new application of controls I think that have been put in place. And for instance, again, to use the analogy of the dark web, you have security researchers who want to explore the dark web and have good reason to do it. They do so under tight protocols, including backstopped computers that are not otherwise connected to networks and there usually are strong company policies prohibiting you from doing that with network devices.
Katherine Forrest: So, it sounds like there's really some tension here between the excitement around these technologies and the security fundamentals that have to be in place.
John Carlin: That's right. The enthusiasm again is understandable. The concept of AI agents interacting autonomously, perhaps even developing emergent behaviors and some of what you talked about on the last episode in terms of behavior you've already seen here is to me both frightening but also fascinating. But we have to be clear-eyed about the risks, especially now, before we've built in the type of security controls that you'd expect to see.
Scott Caravello: So, with all that said, John, before we wrap up, are there any positive developments or things to watch out for in the future that you think would make the platforms more secure?
John Carlin: Look, I think the scrutiny, including the work that the Wiz did that Moltbook has received, is a positive development. So, security researchers who are doing deep dives on the product are doing important work exposing vulnerabilities. And, to their credit, once Wiz did publish its reporting on the Moltbook issues, the Moltbook team was, according to public reporting, quite responsive and worked to quickly patch the issues. And, so that's a positive sign that responsible disclosure worked. And the more attention these issues get, the more pressure there will be on developers to think about and build security in from the start rather than bolting it on later or not at all. I'd also watch for regulatory developments. As AI agents become more prevalent, we may see regulators taking a closer look at the security and governance requirements for platforms that host them.
Katherine Forrest: That’s a great point. And John, this has been so informative. We've talked a lot on this podcast about new agentic technologies and some of the real checklist issues that a company will want to do with agentic technologies to make sure that they've vetted what kind of permissioning the AI agent gets, and to make sure that the AI agent is cabined in the way that the company wants. So, when you've got Moltbook taking it to a new level where these things are acting in all the ways that you've talked about today, it is both fascinating and a little bit scary. Thank you, John, for joining us. Thank you for putting up with my technical issues at the beginning.
John Carlin: I guess we can't blame an agent—agentic AI for that one. But thank you guys for having me. It's a great topic and I enjoy listening to the podcast.
Katherine Forrest: Thank you. All right, I am signing off now. I'm Katherine Forrest.
Scott Caravello: And I'm Scott Caravello. Don't forget to like and subscribe.
