Cybersecurity News in Asia

Features
- Featured
  
  Malaysia’s cyber defense agency has four strategies to keep the nation’s lights on
  
  Wednesday, November 13, 2024, 10:09 AM Asia/Singapore | Features, Newsletter
- Featured
  
  Before we take the plunge into the AI-powered metaverse…
  
  Tuesday, November 12, 2024, 12:24 PM Asia/Singapore | Cloud Security, Features
- Featured
  
  What is one-third of Zero Trust? Zero benefits!
  
  Friday, November 8, 2024, 9:07 AM Asia/Singapore | Features, Newsletter
News
- Featured
  
  Banking professionals least likely to use generative AI at work: analysis
  
  Monday, November 18, 2024, 10:28 AM Asia/Singapore | News, Newsletter
- Featured
  
  Enduring APT group in the Middle East deemed linked to Hamas
  
  Monday, November 18, 2024, 10:13 AM Asia/Singapore | News, Newsletter
- Featured
  
  How did application security levels fare across 19 industry sectors?
  
  Friday, November 15, 2024, 9:19 AM Asia/Singapore | News, Newsletter
Opinions
Tips
Whitepapers
Awards 2024
Directory
E-Learning

News

Beware: Prompt Injection vulnerability found in generative AI email assistant

By CybersecAsia editors | Thursday, June 13, 2024, 2:09 PM Asia/Singapore

As the developers have failed to respond within the 90-day deadline from time of disclosure, the tool should be disabled immediately

Users of the generative AI tool named “EmailGPT” should know by now that a prompt injection vulnerability (CVE-2024-5184s) has been found in the code.

The vulnerability allows attackers to overwrite instructions, change the behavior or the AI, and exfiltrate data from the system, in ways that are somewhat similar to what happened with GitHub Copilot leaking intellectual property.

According to the software’s website, the generative AI (GenAI) tool and Google Chrome extension “uses advanced machine learning algorithms to analyze your past emails and attachments to understand your business and relationships. It then summarizes all incoming emails and even drafts replies for you to review and send.”

The service uses an application programming interface (API) service that, when compromised, can allow a malicious user to inject a direct prompt and take over the service logic. Attackers can exploit the issue by forcing the AI service to leak the standard hard-coded system prompts and/or execute unwanted prompts.

Exploiting the vulnerability
According to the researchers from the Synopsys Cybersecurity Research Center who exposed the vulnerability, anyone with access to the EmailGPT service can exploit the vulnerability by submitting a malicious prompt that requests harmful information. The system will respond by providing the requested data.

This could lead to intellectual property leakage, denial-of-service, and direct financial loss through an attacker making repeated requests to the AI provider’s API which are pay-per-use.

The vulnerability has been evaluated to score 6.5 on the Common Vulnerability Scoring System.

Synopsys has already reached out to the developers, but as of the time of this story (from 26 Feb to June 2024), the firm has not received a response within the 90-day timeline dictated by responsible disclosure policy.

Therefore, it is recommended that users of the browser extension remove it from their networks immediately.

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

CybersecAsia Voting Placement

Gamification listing or Participate Now

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

Mitigating Ransomware Risks with GRC Automation
In today’s landscape, ransomware attacks pose significant threats to organizations of all sizes, with increasing …Download Whitepaper
2024 Gartner® Magic Quadrant™ for SD-WAN
Gartner® has positioned Fortinet highest for Ability to Execute for the fourth year in a …Download Whitepaper
5 Cybersecurity Dashboards for CISOs
Are you ready to transform your cybersecurity approach? With Commugen's 5 Cybersecurity Dashboards for CIOs, …Download Whitepaper
CISO’s Toolbox for Managing AI Risks
As AI reshapes industries, it also introduces a new frontier of risks that demand immediate …Download Whitepaper

Middle-sidebar-banner

Case Studies

Unlock Your Guide to Securing Business Critical Secrets
Is your organization effectively managing access to sensitive secrets like credentials, API keys, and certificates …Read more
RBL Finserve boosts control of growing number of identities in its multi-cloud environment
By adopting a third-party identity security platform, the Indian financial institution expects to leverage zero …Read more
MAX Solutions safeguards data for digital transformation with Veeam
One of the largest employment providers in Australia needed to protect data while reducing complexity …Read more
Adding secure automatic multi-factor authentication boosts customer experience: Tiger Brokers
Can tightening identity security degrade customer experience? In this case study, an online trading platform …Read more

Cybersecurity News in Asia

Featured

Malaysia’s cyber defense agency has four strategies to keep the nation’s lights on

Featured

Before we take the plunge into the AI-powered metaverse…

Featured

What is one-third of Zero Trust? Zero benefits!

Featured

Banking professionals least likely to use generative AI at work: analysis

Featured

Enduring APT group in the Middle East deemed linked to Hamas

Featured

How did application security levels fare across 19 industry sectors?

Beware: Prompt Injection vulnerability found in generative AI email assistant

As the developers have failed to respond within the 90-day deadline from time of disclosure, the tool should be disabled immediately

Related Posts

Leave a reply Cancel reply

Voters-draw/RCA-Sponsors

CybersecAsia Voting Placement

Gamification listing or Participate Now

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

Middle-sidebar-banner

Case Studies

Bottom sidebar