high

GitHub Copilot Chat Vulnerable to Data Exfiltration

Published Fri, Jun 14th, 2024

Platforms

Summary

GitHub Copilot Chat VS Code Extension was vulnerable to data exfiltration via prompt injection when analyzing untrusted source code. The vulnerability allowed attackers to access previous conversation turns and append information from the chat history to an image URL, which was then automatically retrieved by Copilot, sending the data to the attacker.

Affected Services

GitHub Copilot Chat

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://embracethered.com/blog/posts/2024/github-copilot-chat-prompt-injection-data-exfiltration/

Contributed by https://github.com/korniko98

Entry Status

Stub (AI-Generated)

Disclosure Date

Sun, Feb 25th, 2024

Exploitablity Period

Until 2024/06/12

Known ITW Exploitation

Detection Methods

Monitor for unexpected outbound image requests from the GitHub Copilot Chat extension. Review source code for potential malicious instructions that could trigger prompt injection attacks.

Piercing Index Rating

Discovered by

wunderwuzzi, Embrace The Red

More vulnerabilities...

high

Issue with AWS Deployment Framework

CVE-2024-37293 affects the AWS Deployment Framework's bootstrap process, potentially allowing privilege escalation if an actor has permissions to change CodeBuild projects or Lambda functions. The ...

Xidian University

Tue, Jun 11th, 2024

medium

Issue with Amazon EC2 VM Import Export Service

AWS addressed an issue with the Amazon EC2 VM Import Export Service where importing Windows VMs with custom Sysprep answer files resulted in an unprotected backup copy being created, potentially ex...

Immersive Labs

Tue, Jun 11th, 2024

high

Abusing Service Tags to Bypass Azure Firewall Rules

Tenable Research discovered a vulnerability in Azure allowing attackers to bypass firewall rules based on Service Tags by forging requests from trusted services. It affects over 10 Azure services a...

Liv Matan, Tenable

Mon, Jun 3rd, 2024

View all