3 posts tagged with "security"

The Meta AI support chatbot incident is not just another story about a model being tricked.

It is a story about what happens when an AI system is connected to privileged actions without a sufficiently hard authority boundary around those actions.

According to TechCrunch, attackers were able to ask Meta's AI support chatbot to link a target Instagram account to an email address they controlled, then use that path to reset the password and take over the account. TechCrunch reported that Instagram began alerting affected users after the attacks. Later reporting from The Verge said Meta disclosed that 20,225 accounts were likely affected through the support-tool exploit.

This is exactly the class of risk ANIP is designed to address.

4,000 developer machines. One GitHub issue title. Eight hours.

That's the Clinejection attack from last month. If you haven't read it, here's the chain: an attacker crafted a GitHub issue title containing an embedded instruction. An AI triage bot read it, interpreted it as legitimate, and executed npm install from a typosquatted repository. That triggered a cache poisoning attack that exfiltrated npm credentials. Six days later, 4,000 developers installed a compromised Cline release that silently bootstrapped a second AI agent on their machines — with shell access, credential access, and a persistent daemon surviving reboots.

Five steps. The entry point was natural language.

Modern agent systems combine LLM-based reasoning, tool/API execution, and implicit system-level permissions. This creates a well-known class of vulnerability: the confused deputy.

The agent becomes a privileged intermediary that accepts untrusted input, makes decisions based on it, and executes actions with higher authority than it should have.