Stealing sensitive data from repositories: Mayraz then wondered: Because Copilot has access to all of a user’s code, including private repositories, would it be possible to abuse it to exfiltrate sensitive information that was never intended to be public? The short answer is yes, but it wasn’t straightforward.Copilot has the ability to display images in the chatbot interface, and because they are rendered with HTML <img> tags, this opens the possibility of triggering requests to a remote server hosting those images and including the stolen data as parameters in those requested URLs.However, GitHub has built-in protection for this. Any URL to an external image is passed through a GitHub proxy server called Camo, and the URLs are rewritten as camo.githubusercontent.com/[unique signature hash]. The site’s Content Security Policy only allows loading resources from GitHub-owned domains.This means even if a malicious prompt told GitHub Copilot to render an image from the URL https://[attacker server].com/image.jpg?[secret data], the URL would be rewritten by Camo and the parameter would be removed. So it wouldn’t be the user’s browser making the request directly to the external server for the image, but Camo itself, which would then serve it to the user’s browser.Mayraz came up with an interesting bypass: leaking data using not the request URLs themselves, but their order. First, he used the GitHub API to create unique Camo URLs pointing to unique locations on his remote web server that represented every letter of the alphabet. He then created invisible 1×1 pixel images in each of those locations: https://[attacker-server].com/a/image.jpg, /b/image.jpg, /c/image.jpg, and so on.He then included all the Camo URLs that would fetch images from those locations in the hidden prompt and instructed Copilot Chat to first search for the AWS_KEY keyword in the codebase, extract the associated value, then load a 1×1 pixel image for each character in that value using the Camo URLs as an alphabet. He then monitored the requests coming into his web server to reconstruct the AWS_KEY value based on which image locations were requested by Camo.This technique would also work to exfiltrate tickets or issues from a repository that have been marked private because they contain vulnerability disclosures, for example.GitHub fixed the issue in August by disabling image rendering via Camo URLs in Copilot chat. However, this vulnerability demonstrates that even when developers anticipate some attack paths, such as data leaks via remote requests to fetch resources like images, and try to prevent them with known mechanisms like Content Security Policy, attackers can still find work-arounds.See also:
AI prompt injection gets real, with macros the latest hidden threatPrompt injection flaws in GitLab Duo highlights risks in AI assistants
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4069887/github-copilot-prompt-injection-flaw-leaked-sensitive-data-from-private-repos.html
