Critical Copilot vulnerability allowed hackers to steal 2FA code from users
9 hours ago
- #AI Security
- #Microsoft Copilot
- #Data Breach
- Microsoft patched a critical vulnerability in M365 Copilot AI, rated as max critical.
- Researchers discovered an exploit that could retrieve 2FA codes and sensitive data from emails accessible to Copilot.
- AI bots struggle to distinguish between user instructions and malicious commands in third-party content, leading to data breaches.
- Guardrails in Copilot, such as preventing form submissions and restricting site visits, are being bypassed by hackers using markup language and HTML tags.
- Varonis devised an exploit called Parameter-to-Prompt Injection, which places malicious commands in URL query parameters to evade security measures.