 (2).png){kind=logo}
6 months ago
14
Researchers person already recovered a captious vulnerability successful the new NLWeb protocol Microsoft made a large woody astir conscionable just a fewer months agone astatine Build. It’s a protocol that’s expected to beryllium “HTML for the Agentic Web,” offering ChatGPT-like hunt to immoderate website oregon app. Discovery of the embarrassing information flaw comes successful the aboriginal stages of Microsoft deploying NLWeb with customers similar Shopify, Snowlake, and TripAdvisor.
The flaw allows immoderate distant users to work delicate files, including strategy configuration files and adjacent OpenAI oregon Gemini API keys. What’s worse is that it’s a classical way traversal flaw, meaning it’s arsenic casual to exploit arsenic visiting a malformed URL. Microsoft has patched the flaw, but it raises questions astir however thing arsenic basal arsenic this wasn’t picked up successful Microsoft’s large caller absorption connected security.
“This lawsuit survey serves arsenic a captious reminder that arsenic we physique caller AI-powered systems, we indispensable re-evaluate the interaction of classical vulnerabilities, which present person the imaginable to compromise not conscionable servers, but the ‘brains’ of AI agents themselves,” says Aonan Guan, 1 of the information researchers (alongside Lei Wang) that reported the flaw to Microsoft. Guan is simply a elder unreality information technologist astatine Wyze (yes, that Wyze) but this probe was conducted independently.
Guan and Wang reported the flaw to Microsoft connected May 28th, conscionable weeks aft NLWeb was unveiled. Microsoft issued a hole connected July 1st, but has not issued a CVE for the contented — an manufacture modular for classifying vulnerabilities. The information researchers person been pushing Microsoft to contented a CVE, but the institution has been reluctant to bash so. A CVE would alert much radical to the hole and let radical to way it much closely, adjacent if NLWeb isn’t wide utilized yet.
“This contented was responsibly reported and we person updated the open-source repository,” says Microsoft spokesperson Ben Hope, successful a connection to The Verge. “Microsoft does not usage the impacted codification successful immoderate of our products. Customers utilizing the repository are automatically protected.”
Guan says NLWeb users “must propulsion and vend a caller physique mentation to destruct the flaw,” different immoderate public-facing NLWeb deployment “remains susceptible to unauthenticated speechmaking of .env files containing API keys.”
While leaking an .env record successful a web exertion is superior enough, Guan argues it’s “catastrophic” for an AI agent. “These files incorporate API keys for LLMs similar GPT-4, which are the agent’s cognitive engine,” says Guan. “An attacker doesn’t conscionable bargain a credential; they bargain the agent’s quality to think, reason, and act, perchance starring to monolithic fiscal nonaccomplishment from API maltreatment oregon the instauration of a malicious clone.”
Microsoft is besides pushing up with autochthonal enactment for Model Context Protocol (MCP) successful Windows, each portion information researchers person warned of the risks of MCP successful caller months. If the NLWeb flaw is thing to spell by, Microsoft volition request to instrumentality an other cautious attack of balancing the velocity of rolling retired caller AI features versus sticking to information being the fig 1 priority.
English (US) ·