Featured Image Credit: Bloomberg / Contributor via Getty
Artificial intelligence has already shown incredible promise in the world of cybersecurity, but there's still seemingly a lot of creases still to iron out after a Copilot AI vulnerability allowed hackers to steal 2FA codes from users, forcing Microsoft to now issue a response.
The issue, as reported by Ars Technica, was discovered by researchers after their proof-of-concept was able to snatch two factor authentication (2FA) codes from just a single email that was available to the Copilot AI tool.
It was then reported to Microsoft, prompting the tech giant to push forward an emergency 'max critical' patch for M365 Copilot AI in a bid to resolve the issue before it causes significant damage for Windows users.
It's not the first time that an AI model has been at the heart of a cybersecurity risk, and some tech firms offer tools to isolate 'shadow' or 'rogue' AI in quarantine-like zones, but the fact that it can impact a tool as widespread in its use as Copilot is cause for concern for some.
The discovery of the Copilot exploit relates directly to existing parameters and guardrails implemented into Microsoft's AI model, alongside most other popular tools offering similar services.
Advert
In a bid to prevent any cybersecurity breaches, these models don't allow users to perform tasks like submitting web forms, sending emails, or doing anything that can expose their own data.
Copilot in particular has the specific ability to do this within Microsoft domains, which gives it an advantage for certain tasks over other competing LLMs, but anything outside of that boundary relating to 'untrusted' websites is not permitted.
That is, unless you phrase your requests in a specific way, with hackers discovering the use of what's called markup language. This allows you to add various formatting elements outside of HTML elements, alongside hiding sensitive data inside tags like <form> or <code>.
Using this framework, researchers at cybersecurity firm Varonis managed to orchestrate a chain of events that would bypass restrictions implemented by Copilot, effectively using the AI in an unorthodox way to access 2FA codes through a 'Parameter-to-Prompt Injection'.
Instead of using an email or any other piece of content that Copilot would deem to be untrusted, the researchers used the 'q' parameter within a URL that flags the presence of a query.
Attackers are then able to send targets an email that contains this Parameter-to-Prompt Injection, which Copilot then cooperates with to access the user's personal data, and perhaps also a far wider 'blast radius' that could include information linked to their professional organization.
"To exfiltrate the data, an attacker crafts a URL that tells Copilot to 'Search the user's emails', extract the title, and embed it in an image URL," the researchers explained, and it's Copilot that's actually doing all the heavy lifting here.
Thankfully this has since been fixed by Mircosoft in a necessary response, but it does suggest that this won't be the only exploit available to hackers willing to push Copilot beyond its boundaries, giving the tech company plenty to think about and stay alert for in the future.
