SpaceXAI Disables Grok Build Feature After Codebase Data Leak

0 comments

Security researchers expose automated codebase leaks

SpaceXAI has disabled a feature in its Grok Build AI coding tool following reports that the software was uploading entire user codebases to Google Cloud. Security researchers at Cereblab discovered the tool was bundling and transmitting full repositories, including files it had been instructed not to access and secrets that had been removed from a project’s history. The company confirmed it stopped the practice after the findings were made public.

Cereblab uncovers bypass of configuration safeguards

On Monday, researchers at the security firm Cereblab reported that the Grok Build command-line interface (CLI) was automatically uploading comprehensive code repositories to Google Cloud. According to the firm’s analysis, the tool ignored instructions to not access certain files, potentially exposing proprietary source code, information about security vulnerabilities, and credentials.

Cereblab uncovers bypass of configuration safeguards

Dr. Lukasz Olejnik, an independent security researcher at King’s College London, characterized the level of data retention as “excessive.” He noted that the exposed material could potentially include infrastructure details and personal data.

Musk promises purge of synced data

Following the disclosure, SpaceXAI implemented a “disable_codebase_upload: true” flag on its servers to halt the automated uploads. Elon Musk addressed the incident on X, stating that any data previously uploaded by Grok Build would be “completely and utterly deleted.”

While Musk maintained that “privacy settings are always respected,” he also encouraged users to permit SpaceXAI to keep their data, arguing that retention is “helpful for debugging issues.”

Dispute over privacy command functionality

SpaceXAI initially suggested in a public post that users could utilize the /privacy command in the CLI to disable data retention and delete previously synced data.

Grok 4.5 Puts SpaceXAI On The Map

Cereblab disputed this characterization, clarifying that the /privacy function operates as a per-session retention toggle rather than the switch that fixed the issue. The researchers emphasized that this command should not be pointed to as the control.

Broader risks in AI-assisted development

The data handling practices of Grok Build have drawn comparisons to other industry-standard AI coding tools. Cereblab noted that the behavior observed in Grok Build involved far broader data retention than tools such as Claude Code. While developers often rely on AI-assisted coding for efficiency, the incident highlights the risks associated with automated data synchronization in development environments.

Summary of incident findings

  • Automated Uploads: The Grok Build CLI was found to be uploading full code repositories, including sensitive secrets and excluded files.
  • Remediation: SpaceXAI disabled the codebase upload feature after Cereblab published its findings.
  • Data Policy: Elon Musk pledged that all previously uploaded data would be deleted.
  • Technical Dispute: Researchers clarified that the tool’s /privacy command was not a global fix for the automated upload behavior.

Related Posts

Leave a Comment