Google's chatbot, Bard, sends private chats from users into the public domain. The chats, including the question and AI answer, can be found via search engines such as Google or Microsoft. Once known, the link to the chat can also be accessed directly.
Introduction
Google Bard is a chatbot from Google. It now also comes with a supposed autocorrect function. However, tests have shown that the autocorrect function does not work properly. Instead of correcting incorrect statements, it often confirms them. On the other hand, correct statements are shown as possibly incorrect. In short: the correction is not a correction.
Google Bard contains several security vulnerabilities:
1. Private links became public and expose private chat histories.
2. Third parties can take over the chat history and thus the AI memory of another user and elicit information from Bard's memory.
3. Images uploaded to Bard by a user for a question to the chatbot that were hidden by Bard as a precaution can be easily reconstructed by asking the chatbot.
Status: 29.09.2023
This article was prompted by a report from a user. He discovered that chat histories from Google Bard were becoming public, although this was not intended.
The case likely arose from this configuration:
- A user chats with Google Bard.
- The user shares the link with others (but only with selected people).
- Google places the link in its search index.
- The link could be found via Google search.
Sharing a link in Google Bard is done using the share function:
As you can read, the link is initially secret and has a cryptic structure. Only people who receive the link manually from the sharing user know the link and can access it.
However, the Google Bard data leak made the secret links to private chat histories public.
The Google Bard data leak
Some search terms in Google Search led directly to hits containing "secret" links on private chat logs from Bard. The link was then no longer secret and could be seen and called by anyone.
Here is an example of a chat history that was exposed by the data leak:
Both the question and the answer from the AI contain a Personennamen. The context added by the AI response could become a problem from a data protection perspective, as it might be false statements.
In the Bard response, it is clear nonetheless that maximum flattery in statements about people who seem unrealistic are on the agenda. For example, there it says: "He is an experienced and successful SEO- and data analyst …".
It would also be conceivable that a defamation quote is published by someone about a person. If Bard denies this, it's unpleasant. If this chat history is then unintentionally further disseminated, it's even more unpleasant and would probably also be a problem for Google.
It gets even worse here:
The chat contains a full personal name, which has been anonymized here for the screenshot. The person's name can be described as potentially unique because the first name and surname are anything but typical. There is also the city in Germany.
Of course, Bard will also provide the curriculum vitae on request:
With Bard, the conversation of another person can be continued by a third party. With Bard, anyone can potentially steal someone else's context and ask Bard about the context. This opens the door to security problems.
Another example (from 29.09.2023) shows that the data leak can also cause security problems:
The URL mentioned can be called up, as a test showed. It is valid and leads to a Google Driver storage that someone uses for their documents and files.
Another example shows a chat in which the URL to a personal CV was sent directly to Bard as a question:
The URL was accessible (as of 29.09.2023) and will probably be for all eternity until someone decides to remove their CV again.
Direct search for Bard chats
A direct search for Bard URLs that had accidentally become public was also possible until 28.09.2023. Only the following had to be entered in the Google search:
Share on Google Bard site with optional search term
The result was a large number of hits that made previously secret chat histories available to the public. Google has apparently shut this down.
However, Google has not deactivated the URLs for private chat histories that were created for internal sharing with friends or colleagues. So these URLs are still accessible. So this harmless example can still be accessed now.
Google Bard is really insecure
In some chats with Bard, users upload a picture and ask Bard for an explanation or description of the picture.
Good thing Bard hides the image when someone opens a link to the chat history who didn't create the chat. It looks like this:
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
