Comment by binsquare

1 day ago

This isn't a novel technical vulnerability write up.

The author had copilot read a "prompt injection" inside a readme while copilot is enabled to execute code or run bash commands (which user had to explicitly agree to).

I highly suspect this account is astro-turfing for the site too... look at their sidebar:

``` Claude Cowork Exfiltrates Files

HN #1

Superhuman AI Exfiltrates Emails

HN #12

IBM AI ('Bob') Downloads and Executes Malware

HN #1

Notion AI: Data Exfiltration

HN #4

HuggingFace Chat Exfiltrates Data

Screen takeover attack in vLex (legal AI acquired for $1B)

Google Antigravity Exfiltrates Data

HN #1

CellShock: Claude AI is Excel-lent at Stealing Data

Hijacking Claude Code via Injected Marketplace Plugins

Data Exfiltration from Slack AI via Indirect Prompt Injection

HN #1

Data Exfiltration from Writer.com via Indirect Prompt Injection

HN #5 ```

10 comments

binsquare

Reply
crummy  1 day ago

Isn’t the news that “curl whatever” will prompt the user for confirmation but “env curl whatever” won’t?

  • binsquare  1 day ago

    It's a valid observation that we can bypass the coding AI's user prompting gate with the right prompt.

    But is it a security issue on copilot that the user explicitly giving AI permission and instructed it to curl a url?

    Regardless of the coding agent, I suspect eventually all of the coding agents will behave the same with enough prompting regardless if it's a curl command to a malicious or legitimate site.

    • roywiggins  1 day ago

      The user didn't need to give it curl permission, that's the whole issue:

      > Copilot also has an external URL access check that requires user approval when commands like curl, wget, or Copilot’s built-in web-fetch tool request access to external domains [1].

      > This article demonstrates how attackers can craft malicious commands that go entirely undetected by the validator - executing immediately on the victim’s computer with no human-in-the-loop approval whatsoever.

      3 replies →

roywiggins  1 day ago

It's probably bad that the system 1) usually prompts you to take shell actions like `curl`, but 2) by default whitelists `env` and `find` that can invoke whatever it wants without approval.

If 2) is fine then why bother with 1)? In yolo mode such an injection would be "working as designed", but it's not in yolo mode. It shouldn't be able to just do `env sh` and run whatever it wants without approval.

fulafel  1 day ago

It does circumvent a flimsy control:

"The env command is part of a hard-coded read-only command list stored in the source code. This means that when Copilot requests to run it, the command is automatically approved for execution without user approval."

politelemon  1 day ago

Reading the other posts on their site, I don't agree. It's just like any other security research shop. I've found most of their posts quite thorough and the controls being circumvented well explained.

altairprime  1 day ago

Please email the mods rather than posting accusations of astroturfing. You may well be right, but they specifically direct us to say that to them rather than in comments. The footer contact email works well for this.