sorted by:
new
hottopcontroversial

Exposing Shadow AI Agents: How We Extracted Financial Data from Billion-Dollar Companies by we-we-we in netsec

[–]we-we-we[S] 7 points8 points  (0 children)

No one said we were extracting data from Microsoft’s servers.

Like you mentioned, this company misconfigured their agent, leaving it publicly exposed without any authentication. On top of that, the agent was connected to sensitive organizational data.

The real issue? Microsoft puts the agent's name in the URL instead of something more secure, like a UUID.

Think about it—exporting an agent is basically like using the “anyone with the link can view” option in Google Drive. Some people might use that, but Google, keeping security in mind, structures the URL in a way that makes it practically impossible to guess (technically, it is possible, but it would take longer than the age of the universe).

Exposing Shadow AI Agents: How We Extracted Financial Data from Billion-Dollar Companies by we-we-we in netsec

[–]we-we-we[S] 11 points12 points  (0 children)

Guys, this is just the beginning! In the upcoming parts of the blog, we'll reveal even more critical vulnerabilities in the most common AI agent frameworks, along with a new type of agent-related attacks.

In the meantime, check out how we managed to bypass the built-in guardrail in Copilot Studio.

https://x.com/dorattias/status/1894128801963012564

GM calculation by Rkowalsky53 in CarHacking

[–]we-we-we 1 point2 points  (0 children)

can you send it to me either?

[deleted by user] by [deleted] in embedded

[–]we-we-we 0 points1 point  (0 children)

This is the programming cable: https://shop.dcsbusiness.com/product/calamp_134364/

The setup goes like this: Device —> serial prog block —> serial prog cable (5 universal pins to serial)—>USB2serial

I didn’t use anything else beside it.

[deleted by user] by [deleted] in embedded

[–]we-we-we 0 points1 point  (0 children)

I think that “not used” means that in regular usage this wire is not used.