bednars.me
← Blog View Markdown

Stealing AI models through a public API

#security#ai#api#llm

Every day, millions of people upload photos to Facebook, and alternative descriptions are automatically generated: “two men in a restaurant”, “woman with dog in a park.” Automatic Alt Text has existed since 2017, designed for blind users. But it can be exploited in a completely different way.

An e-commerce store owner needs descriptions for a hundred thousand product photos. They could pay an external service, hire people, or just exploit Facebook — upload photos as unpublished posts, extract the generated descriptions, delete the posts without a trace. Facebook’s computer vision model, which cost millions to develop, now works for free for someone else’s business. And technically, no rules are being broken.

Model extraction through a public endpoint

The same logic applies to any exposed inference endpoint. Say you spent three months building a message classifier — detecting whether a user is trying to move a conversation off-platform. 95% accuracy, tuned through many iterations. You expose a simple endpoint: text in, true/false out.

Someone writes a script, sends tens of thousands of varied inputs, records the responses. After a few days they have 50k labeled pairs — enough to train a functionally identical model. Cost: a few dozen dollars for cloud GPU time. Your cost: months of work and thousands in compute. In your server logs, you see nothing but regular HTTP requests.

Free inference via LM Arena

LM Arena lets you compare language models through a public interface — and underneath, there’s an endpoint that can be queried programmatically. Instead of paying for API access, you route requests through LM Arena with a basic proxy to bypass rate limits. Some people build entire commercial products this way, saving thousands monthly. The platform runs on research grants, presumably not intended for this use case.

Why these attacks work

The pattern is consistent across all three cases. First, the traffic is indistinguishable from normal usage at low volumes — only statistical analysis of request patterns reveals anything. Second, the cost asymmetry is extreme: copying an API-exposed model takes hours of scripting, while building the original took months of engineering. Third, the legal situation is genuinely unclear — querying a public API according to its documentation is hard to litigate, even if the intent is systematic model extraction.

The broader point

Automatic Alt Text wasn’t designed to be a free image captioning API. LM Arena wasn’t meant to power commercial chatbots. Every publicly exposed AI feature is also a potential free R&D resource for anyone with the right tools and enough patience.

This is a distinct threat category — not exploitation of vulnerabilities in the traditional sense, but systematic use of what’s been made legally available, contrary to its intended purpose. The interface simplicity that makes a feature easy to integrate is the same property that makes it easy to automate at scale.