GitLab's AI assistant Duo has been identified as having a critical security vulnerability that possibly led to code theft and the dissemination of malware. The issue stems from Duo's inability to adequately scrutinize user input, leading to indirect prompt injections as discovered by Legit Security. This flaw poses a significant risk, especially as Duo integrates deeply into GitLab operations, allowing attackers to exploit almost any interaction on the platform. The vulnerability raises alarms given GitLab's past security issues, including a major breach involving account takeovers.
Duo's fundamental security flaw arose not from its AI capabilities, but from insufficient input scrutiny, allowing malicious code and malware to exploit vulnerabilities.
The vulnerabilities in GitLab's AI assistant Duo present a broad attack surface where hidden prompts can be injected across all user interactions on the platform.
Collection
[
|
...
]