Western European high-speed rail service operator Eurostar has accused Pen Test Partners researchers of blackmail after their disclosure of four security flaws impacting the firm's AI chatbot through its vulnerability disclosure program, The Register reports.
After having its reports on the vulnerabilities which include a HTML injection issue that could be exploited to displlay illicit code or a phishing link and a stored cross-site scripting bug that could enable session takeovers and secrets compromise through the firm's VDP ignored in June, Pen Test Partners was then urged to submit its report by mid-July, only to learn that there has been no record of the report, according to the penetration testing and security consulting firm.
Fixes were eventually issued by Eurostar for certain vulnerabilities, prompting Pen Test Partners to publish its blog. However, Eurostar later alleged that the researchers were engaging in blackmail during a back-and-forth on LinkedIn, said researchers.
Such claims from Pen Test Partners have yet to be acknowledged by Eurostar, which has also yet to detail whether all of the identified chatbot flaws have already been addressed.
After having its reports on the vulnerabilities which include a HTML injection issue that could be exploited to displlay illicit code or a phishing link and a stored cross-site scripting bug that could enable session takeovers and secrets compromise through the firm's VDP ignored in June, Pen Test Partners was then urged to submit its report by mid-July, only to learn that there has been no record of the report, according to the penetration testing and security consulting firm.
Fixes were eventually issued by Eurostar for certain vulnerabilities, prompting Pen Test Partners to publish its blog. However, Eurostar later alleged that the researchers were engaging in blackmail during a back-and-forth on LinkedIn, said researchers.
Such claims from Pen Test Partners have yet to be acknowledged by Eurostar, which has also yet to detail whether all of the identified chatbot flaws have already been addressed.




