AI/ML, Vulnerability Management

Lenovo AI chatbot impacted by critical XSS bugs

Threat actors could exploit critical cross-site scripting vulnerabilities in Lenovo's GPT-4-powered artificial intelligence chatbot Lena to facilitate malicious code injections and session cookie theft through a single prompt, reports Cybernews.

Exfiltrating active session cookies has been made possible by a lone prompt commencing with an inquiry for legitimate information, followed by instructions for output format modification and how to generate an HTML-based output before including further orders to produce the requested image, an analysis from Cybernews researchers showed. In the process of producing the HTML output which eventually includes instructions for obtaining resources from an attacker-controlled server the malicious code infiltrating Lenovo's systems is then executed before threat actors request communications with a human support agent, with the firm's customer support systems at risk of being compromised using previously secured cookies. "It may also be possible to execute some system commands, which could allow for the installation of backdoors and lateral movement to other servers and computers on the network," said researchers.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds