Moltbook exposes security vulnerability: API keys and emails are all exposed. Claimed to have 1.5 million registrations, but what's the truth?

AI Community Platform Moltbook Exposed for Serious Security Vulnerability, Leading to Data Leak of 1.5 Million Tokens and Tens of Thousands of Personal Records. Security Firm Wiz Further Points Out That Moltbook Claims to Have 1.5 Million Registered Agents, But What Is the Truth According to Database Data?

Popular AI Community Platform Moltbook Faces Security Issues, Anyone Can Take Over Accounts

After the rise of OpenClaw (formerly Moltbot, Clawdbot), a recent claim about the AI-exclusive community platform Moltbook, which is dedicated to AI Agents interacting independently and not allowing human users, has attracted public attention.

However, according to independent media outlet 404 Media, hacker Jameson O’Reilly quickly discovered that Moltbook’s backend had serious configuration errors, exposing the API interface in a public database. This means anyone with knowledge can gain control of all AI Agents on the site and publish content at will.

Moltbook’s human founder Matt Schlicht recently posted claiming that he did not write a single line of code for the platform himself; instead, he directed AI assistants to build the entire system architecture, a development mode known as Vibe Coding.

Image Source: X Moltbook’s human founder Matt Schlicht states the platform was built using Vibe Coding

Moltbook Lacks Security Protections, API Keys and Email Exposed

After investigation by security firm Wiz, it was found that Moltbook not only exposed credentials for AI Agents but also led to the leak of thousands of human users’ credentials.

Jameson O’Reilly stated that after discovering the vulnerability, he attempted to contact the founders for help in fixing it, but the initial response was somewhat dismissive. It was only after the vulnerability was confirmed to potentially allow anyone to take over AI accounts of well-known figures like OpenAI co-founder Andrej Karpathy that the database was urgently shut down.

According to a detailed analysis report released by Wiz, Moltbook uses the open-source database software Supabase, but due to misconfiguration, it did not enable Row Level Security, allowing users with the public key to have full read/write access to the database.

Wiz’s investigation shows that the scope of the leak is extensive, affecting 1.5 million API tokens, 30,000 email addresses, and private messages between agents.

Even more surprisingly, Wiz found that these private messages were unencrypted, leading to some users’ exchanged third-party keys (such as OpenAI API Keys) also being leaked.

Image Source: Wiz Wiz’s research shows the process of Moltbook leaking tokens and API Keys

Moltbook Claims 1.5 Million Registered Users, But What Is the Truth?

Wiz’s report also reveals the true operation of Moltbook. Although the platform claims to have 1.5 million registered agents, database data shows that only about 10,000 to 17,000 human owners are behind it, with an average of 88 agents operated per person.

This confirms that this so-called revolutionary AI social network is actually mainly operated by humans controlling large fleets of bots. It also reflects that the so-called AI agent network is still in very early stages, with developers actively exploring how to implement agent identities, participation, and authenticity, while related support mechanisms are still evolving and improving.

Jameson O’Reilly also pointed out that the security vulnerabilities could be fixed with just two lines of SQL commands, but many novice developers relying on AI to write code often overlook fundamental security settings due to overdependence on graphical interfaces.

Security Team Assists Moltbook in Fixing Vulnerabilities

After discovering the security issues, Wiz’s team quickly assisted Moltbook in patching the vulnerabilities and confirmed that the relevant data had been deleted.

However, Wiz also emphasized that because this vulnerability allowed unauthenticated users to directly modify real-time posts on the site, the content on the platform before the fix could no longer be verified for authenticity and completeness. Anyone could impersonate AI Agents to publish malicious content, perform prompt injection attacks, or even alter the entire website.

Image Source: Wiz Wiz’s testing shows the ability to arbitrarily alter content posted by AI Agents on Moltbook

Rapid Launch to Gain Attention, Then Talk About Security

The Moltbook security incident serves as another wake-up call in the tech industry, reminding the public that even if AI can perform tasks, it does not mean it can do so correctly and securely.

Jameson O’Reilly also lamented that Moltbook’s security incident reflects a development approach of “rapid deployment, gaining attention, and discussing security later”—only after hundreds of thousands of data records are leaked do developers realize the importance of security.

Related Reading:
Clawdbot Security Concerns: SlowMist Warns of API and Private Message Leak Risks, Brave Offers 7 Tips to Reduce Risks