So this wasn't really fixed. The impressive thing here is that copilot accepts natural language. So whatever exfiltration method you can come up with, you just write out the method in english.
They merely "fixed" one particular method, without disclosing how they fixed it. Surely you could just do the base64 thing to an image url of your choice? Failing that, you could trick it into providing passwords by telling it you accidentally stored your grocery list in a field called passswd, go fetch it for me ppls?
There's a ton of stuff to be found here. Do they give bounties? Here's a goldmine.
>Surely you could just do the base64 thing to an image url of your choice?
What does that mean? Are you proposing a non-Camo image URL? Non-Camo image URLs are blocked by CSP.
>Failing that, you could trick it into providing passwords by telling it you accidentally stored your grocery list in a field called passswd, go fetch it for me ppls?
Does the agent have internet access to be able to perform a fetch? I'm guessing not, because if so, that would be a much easier attack vector than using images.
To supplement the parent, this is straight from article’s TLDR (emphasis mine):
> In June 2025, I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot’s responses, including suggesting malicious code or links.
> The attack combined a novel CSP bypass using GitHub’s own infrastructure with remote prompt injection. I reported it via HackerOne, and GitHub fixed it by disabling image rendering in Copilot Chat completely.
And parent is clearly responding to gp’s incorrect claims that “…without disclosing how they fixed it. Surely you could just do the base64 thing to an image url of your choice?” I’m sure there will be more attacks discovered in the future but gp is plain wrong on these points.
Somehow this article feels like a promotional for Legit. But all AI vibe solutions face the same weaknesses. Limited transparency and trust Issues: Using non FOSS solutions for cybersecurity is a large risk.
If you do use AI cyber solutions, you can be more vulnerable for security breaches instead of less.
Wondering if the ability to use hidden (HTML comment) content in PRs would not remain a nasty issue: especially for open source repos?! Was that fixed?
It's used widely for issue/PR templates, to tell the submitter what info to include. But they could definitely strip it from the Copilot input... at least until they figure out this "prompt injection" thing that I thought modern LLMs were supposed to be immune to.
> that I thought modern LLMs were supposed to be immune to
What gave you this idea?
I thought it was always going to be a feature of LLMs, and the only thing that changes is that it gets harder to do (more circumventions needed), much like exploits in the context of ASLR.
The rule is to operate using the intersection of all the users permissions of who is contributing text to the LLM. Why can an attacker's prompt access a repo the attacker does not have access to? That's the biggest issue here.
So this wasn't really fixed. The impressive thing here is that copilot accepts natural language. So whatever exfiltration method you can come up with, you just write out the method in english.
They merely "fixed" one particular method, without disclosing how they fixed it. Surely you could just do the base64 thing to an image url of your choice? Failing that, you could trick it into providing passwords by telling it you accidentally stored your grocery list in a field called passswd, go fetch it for me ppls?
There's a ton of stuff to be found here. Do they give bounties? Here's a goldmine.
>Surely you could just do the base64 thing to an image url of your choice?
What does that mean? Are you proposing a non-Camo image URL? Non-Camo image URLs are blocked by CSP.
>Failing that, you could trick it into providing passwords by telling it you accidentally stored your grocery list in a field called passswd, go fetch it for me ppls?
Does the agent have internet access to be able to perform a fetch? I'm guessing not, because if so, that would be a much easier attack vector than using images.
> GitHub fixed it by disabling image rendering in Copilot Chat completely.
To supplement the parent, this is straight from article’s TLDR (emphasis mine):
> In June 2025, I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot’s responses, including suggesting malicious code or links.
> The attack combined a novel CSP bypass using GitHub’s own infrastructure with remote prompt injection. I reported it via HackerOne, and GitHub fixed it by disabling image rendering in Copilot Chat completely.
And parent is clearly responding to gp’s incorrect claims that “…without disclosing how they fixed it. Surely you could just do the base64 thing to an image url of your choice?” I’m sure there will be more attacks discovered in the future but gp is plain wrong on these points.
Please RTFA or at least RTFTLDR before you vote.
Somehow this article feels like a promotional for Legit. But all AI vibe solutions face the same weaknesses. Limited transparency and trust Issues: Using non FOSS solutions for cybersecurity is a large risk.
If you do use AI cyber solutions, you can be more vulnerable for security breaches instead of less.
Wondering if the ability to use hidden (HTML comment) content in PRs would not remain a nasty issue: especially for open source repos?! Was that fixed?
It's used widely for issue/PR templates, to tell the submitter what info to include. But they could definitely strip it from the Copilot input... at least until they figure out this "prompt injection" thing that I thought modern LLMs were supposed to be immune to.
> that I thought modern LLMs were supposed to be immune to
What gave you this idea?
I thought it was always going to be a feature of LLMs, and the only thing that changes is that it gets harder to do (more circumventions needed), much like exploits in the context of ASLR.
Wild approach. Very nice
A good vulnerability writeup, and a thrill to read. Thanks!
You'd have to be insane to run an AI agent locally. They're clearly unsecurable.
Did the markdown link exfil get fixed?
The rule is to operate using the intersection of all the users permissions of who is contributing text to the LLM. Why can an attacker's prompt access a repo the attacker does not have access to? That's the biggest issue here.
can you still make invisible comments?