A safety researcher found quite a few vulnerabilities in Microsoft Copilot that might expose customers’ private info, permitting information theft. Microsoft patched the vulnerabilities following the bug report. Nonetheless, the precise mitigation technique stays unclear.
Quite a few Microsoft Copilot Vulnerabilities Might Leak Information
The researcher Johann Rehberger lately shared insights about severe safety points with Microsoft’s AI flagship, Copilot. Rehberger found quite a few vulnerabilities that might permit an adversary to steal information by injecting malicious prompts into Microsoft Copilot.
Particularly, the researcher demonstrated ASCII smuggling to inject malicious prompts into an AI mannequin. Since immediate injection assaults stay an issue for AI fashions’ safety, Copilot is not any completely different, being equally weak to such assaults.
In his assault technique, the researcher used Unicode characters mirroring ASCII that had been invisible within the person interface. So, whereas the person received’t see these characters, the LLM would nonetheless learn them and reply accordingly. For this, the attacker could enter such characters via varied means, akin to by embedding inside clickable hyperlinks. Clicking on such hyperlinks would ship information to third-party servers, permitting information exfiltration.
To inject such malicious prompts, the attacker may trick Copilot by way of maliciously crafted emails or paperwork. Upon processing such paperwork, Copilot would observe the prompts inside the doc and would generate the related output, permitting information theft.
The researcher shared the next video because the proof-of-concept, sharing the technical particulars in his write-up.
Rehberger found the vulnerability in January 2024, following which he reported the matter promptly to Microsoft. In response, Microsoft, following quite a few communications within the following months, patched the vulnerabilities.
It stays unclear how Microsoft addressed these points to forestall information exfiltration. The tech large didn’t share any particulars concerning the patch regardless of Rehberger’s request. Nonetheless, the researcher suggested Microsoft to forestall the automated invoking of instruments following malicious prompts and never render hidden characters and clickable hyperlinks. The top outcomes of Microsoft patches show the identical.
Earlier, Microsoft additionally patched an SSRF flaw in Copilot. Exploiting that vulnerability may expose delicate info from a agency’s inside community.
Tell us your ideas within the feedback.