Comment by jofzar

11 hours ago

> Responsible Disclosure GitLost was responsibly disclosed to GitHub. Vulnerability details are shared here with their knowledge.

Why does this section not have when it was fixed or GitHub acknowledge/rejected this?

Did they not fix this?

This isn’t a normal software bug, it’s not fixable in the same way you can’t fix regular support staff from being tricked.

The answer is you should not allow LLMs access to untrusted input and sensitive data at the same time.

  • Your second paragraph directly contradicts the first.

    • The point is that Github can’t fix it. It’s the user’s responsibility to not grant access to accounts that shouldn’t have access to the resources in question.

Fix what? They setup LLM with access to private data and ability to read public comments. That's simply misconfiguration.

  • The OP notes that they had to use special phrasing to get their exfil to work, so clearly GitHub was aware of the issue and made an attempt to prevent it.

    It seems like the proper fix is for GitHub not to allow their agentic workflow to execute in a public repo context if it also has private repo access. Or, to use your phrasing, for GitHub to flag and disallow this easily-detectable and dangerous type of misconfiguration.

    • This “detectable and dangerous type of misconfiguration” is used by many developed daily and breaking it would break important workflows.

      It’s like saying that an OS should enforce that home directories can only have 0600 permissions. Yes, it prevents accidentally configuring world readable on files, but there are legit reasons for wanting to share a file from your home dir.