One Click Triggered a Stealthy Copilot Attack
▼ Summary
– Microsoft fixed a vulnerability in its Copilot AI that let hackers steal sensitive user data via a single malicious link click.
– The attack, demonstrated by white-hat researchers, exfiltrated personal details like name, location, and chat history without further user interaction.
– The exploit bypassed enterprise security controls and continued running even after the user closed the Copilot chat window.
– The malicious link contained a detailed prompt in a URL parameter that tricked Copilot into embedding and sending user secrets to a hacker-controlled server.
– The attack used a multi-stage process where a disguised file contained further instructions to extract and transmit additional personal data.
A recent security flaw in Microsoft’s Copilot AI assistant has been patched, addressing a critical vulnerability that could have allowed attackers to steal sensitive user information with just one click. The issue, discovered by cybersecurity researchers, highlights the potential risks associated with AI-powered tools and the importance of robust security measures. This incident serves as a reminder that even advanced productivity aids can become vectors for data exfiltration if not properly safeguarded.
Security experts at Varonis, acting as ethical hackers, demonstrated how a carefully crafted attack could bypass enterprise security systems. Their method involved sending a target a single malicious link. When clicked, this link triggered a multi-stage exploit within Copilot, siphoning off personal data like the user’s name, location, and details from their chat history. Alarmingly, the attack continued to run autonomously even after the user closed the Copilot chat window, requiring no further interaction.
The exploit leveraged a common feature where large language models process URL parameters. The link directed to a domain controlled by the researchers but included a long string of detailed instructions appended to the end. This prompt tricked Copilot Personal into embedding private user details into web requests sent to the attacker’s server.
The instructions were disguised within a convoluted prompt that appeared to be a coding puzzle or riddle. It directed the AI to first change a variable and then examine a URL, embedding a user secret into a web request. This initial data theft was just the first step. The server then responded with further disguised commands hidden within what appeared to be an image file. These subsequent instructions prompted Copilot to gather and transmit additional sensitive information, such as the user’s precise location and username.
The entire process evaded standard endpoint security controls and detection software, operating stealthily in the background. This demonstrates a sophisticated attack vector where the AI assistant itself is manipulated into becoming the tool for data theft. The researchers noted that the exploit was effective immediately upon clicking the link, emphasizing the low barrier for a potential attacker once a vulnerable system is identified.
Microsoft has since resolved the vulnerability, but the case underscores the evolving challenges in securing AI interfaces. As these tools become more integrated into daily workflows, ensuring they cannot be weaponized through prompt injection or similar techniques is paramount. Organizations are advised to maintain vigilance, apply security patches promptly, and consider the unique threat models presented by AI-powered applications.
(Source: Ars Technica)
