Lenovo's AI chatbot, Lena, contains a vulnerability that enables attackers to exploit cross-site scripting (XSS) to inject malicious code. This code can steal session cookies with a single, lengthy prompt asking for legitimate information. The attack method involves prompting the chatbot to return responses in a specific format and then instructing it to load a non-existent image, which triggers requests to the attacker's server, revealing sensitive cookie data. This flaw poses serious risks for customer privacy and corporate security, allowing unauthorized access to support systems by using stolen credentials.
Security researchers have discovered a flaw in Lenovo's AI chatbot, Lena, that exposes customer data and systems to potential attacks, allowing lateral movement through networks.
Cross-site scripting (XSS) enabled attackers to inject code that steals session cookies using a prompt crafted to exploit the chatbot's functionality.
Collection
[
|
...
]