Reprompt attack exploits Microsoft Copilot for data theft

A new one-click attack, dubbed Reprompt, has been discovered that bypasses Microsoft Copilot security controls and allows for the theft of user data. The attack leverages a URL parameter to steal sensitive information, even after the Copilot window has been closed, as reported by ZDNET.

The Reprompt attack, detailed by Varonis Threat Labs, targets Microsoft Copilot Personal. It requires only a single click on a malicious link to initiate. Attackers exploit the "q" URL parameter to inject prompts and malicious instructions, forcing Copilot to perform actions, including data exfiltration. The attack chain involves a parameter injection, a double-request technique to bypass safeguards, and a chain-request to issue follow-up instructions. This method is difficult to detect as it bypasses client-side monitoring and disguises the exfiltrated data, leaking it incrementally. Microsoft has confirmed that enterprise users of Microsoft 365 Copilot are not affected, as the vulnerability was patched prior to public disclosure.

The Reprompt attack highlights a broader class of vulnerabilities in AI assistants, driven by the exploitation of external inputs. This underscores the need for AI vendors and users to treat URLs and external inputs as untrusted, implementing robust validation and safety controls throughout the entire process chain. 

Source: ZD NET