"Reprompt impacted Microsoft Copilot Personal and, according to the team, gave "threat actors an invisible entry point to perform a data‑exfiltration chain that bypasses enterprise security controls entirely and accesses sensitive data without detection -- all from one click." No user interaction with Copilot or plugins was required for this attack to trigger. Instead, victims had to click a link."
"Parameter 2 Prompt (P2P injection): By exploiting the 'q' URL parameter, an attacker could fill a prompt from a URL and inject crafted, malicious instructions that forced Copilot to perform actions, including data exfiltration. Double-request: While Copilot had safeguards that prevented direct data exfiltration or leaks, the team found that repeating a request for an action twice would force it to be performed."
Reprompt is a single-click attack that targeted Microsoft Copilot Personal by abusing the 'q' URL parameter to inject prompts and malicious instructions. The attack required only a victim clicking a crafted link; no interaction with Copilot or plugins was needed. The chain used a Parameter 2 Prompt injection to prefill prompts, a Double-request technique to force execution by repeating actions, and a Chain-request server to issue follow-up demands. The exploit could bypass enterprise security controls and extract sensitive Copilot data, potentially continuing after the browser window closed. The attack demonstrates a stealthy vector for data exfiltration from AI assistants.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]