Security News > 2024 > August > Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data
Cybersecurity researchers have disclosed a critical security flaw impacting Microsoft's Copilot Studio that could be exploited to access sensitive information.
"An authenticated attacker can bypass Server-Side Request Forgery protection in Microsoft Copilot Studio to leak sensitive information over a network," Microsoft said in an advisory released on August 6, 2024.
"Combined with a useful SSRF protection bypass, we used this flaw to get access to Microsoft's internal infrastructure for Copilot Studio, including the Instance Metadata Service and internal Cosmos DB instances," Grant said.
Put differently, the attack technique made it possible to retrieve the instance metadata in a Copilot chat message, using it to obtain managed identity access tokens, which could then be abused to access other internal resources, including gaining read/write access to a Cosmos DB instance.
The cybersecurity company further noted that while the approach does not allow access to cross-tenant information, the infrastructure powering the Copilot Studio service is shared among tenants, potentially affecting multiple customers when having elevated access to Microsoft's internal infrastructure.
The disclosure comes as Tenable detailed two now-patched security flaws in Microsoft's Azure Health Bot Service, that, if exploited, could permit a malicious actor to achieve lateral movement within customer environments and access sensitive patient data.
News URL
https://thehackernews.com/2024/08/microsoft-patches-critical-copilot.html
Related news
- Critical vulnerability in the RADIUS protocol leaves networking equipment open to attack (source)
- Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments (source)
- Week in review: RADIUS protocol critical vuln, Microsoft 0-day exploited for a year, AT&T breach (source)
- Critical Exim vulnerability facilitates malware delivery (CVE-2024-39929) (source)
- ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu (source)
- Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP (source)
- Critical Acronis Cyber Infrastructure vulnerability exploited in the wild (CVE-2023-45249) (source)
- Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure (source)
- Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Days (source)
- Microsoft Edge PDF reader is getting more Copilot AI features (source)