The first Patch Tuesday (Wednesday in the Antipodes) for the year included a fix for a single-click prompt injection attack affecting the consumer version of Microsoft's Copilot artificial intelligence (AI) that could've leaked user data.
Data security vendor Varonis, which documented the vulnerability and reported it to Microsoft, named the flaw Reprompt.
If exploited, the chained exploit Reprompt was able to exfiltrate data such as file access history, location, conversation memory, the user's name and events from the Copilot chat history.
The attack involves tricking a target into clicking on what appears to be a legitimate link leading to Microsoft's Copilot chatbot via a web browser.
A specially crafted ?q= parameter in the link contained a pre-filled AI prompt for the chat interface; Varonis calls this Parameter 2 Prompt or P2P injection.
Once the victim's authenticated Copilot session is loaded into the browser, the prompt injection causes the AI to communicate with an attacker-controlled server.
Follow-up prompts chained to each other from the attacker's server to to Copilot, and returned from the AI, provided command and control over the session.
At this stage, the attacker could start exfiltrating information such as conversation history, attached files and other sensitive data that Copilot has access to in the compromised session.
The attack can persist even if the user closes the Copilot chat tab in the browser, as the session level context is being abused.
Client-side detection tools could miss the attack payload as well, as it arrives later in the sequence of chained responses from the server Copilot communicates with.
Beyond the initial link click, no further user interaction with Copilot is required, nor any plugins, Varonis said, and added that there's no limit to the amount or types of data that can be exfiltrated.
Varonis recommended that users are cautious with clicking on links, especially if they open AI tools or prefill prompts.
Reviewing any prefilled prompts for AI is also a good idea, to ensure they look safe.
The security vendor also said to watch out for AIs asking for personal information, and to close the session and report it if that happens.
No Common Vulnerabilities and Exposures (CVE) index has been assigned to Reprompt, and there are no reports that it was exploited.
_(28).jpg&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0){kind=logo}
_(20).jpg&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
