"Researchers at Pen Test Partners found four flaws in Eurostar's public AI chatbot that, among other security issues, could allow an attacker to inject malicious HTML content or trick the bot into leaking system prompts. Their thank you from the company: being accused of "blackmail." The researchers reported the weaknesses to the high-speed rail service through its vulnerability disclosure program. While Eurostar ultimately patched some of the issues, during the responsible disclosure process, the train operator's head of security allegedly accused the pen-testing team of blackmail."
"After initially reporting the security issues - and not receiving any response - via a vulnerability disclosure program email on June 11, the bug hunter Ross Donald says he followed up with Eurostar on June 18. Still no response. So on July 7, managing partner Ken Munro contacted Eurostar's head of security on LinkedIn. About a week later, he was told to use the vulnerability reporting program (they had), and on July 31 learned there was no record of their bug report."
Pen Test Partners discovered four vulnerabilities in Eurostar's public AI chatbot that could allow attackers to inject malicious HTML and trick the bot into leaking system prompts. The researchers reported the weaknesses to Eurostar via its vulnerability disclosure program on June 11 and followed up after receiving no response. Eurostar had recently changed or outsourced its disclosure portal, and the initial report was not immediately recorded. Researchers escalated via LinkedIn and learned the company later located the original email. Eurostar patched some of the vulnerabilities. During the LinkedIn exchange, the head of security suggested the follow-up could be 'blackmail.'
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]