Last Tuesday, Microsoft patched a vulnerability it rated as max critical in its M365 Copilot AI platform. On Monday, the researchers who discovered the vulnerability and reported it to Microsoft revealed how their proof-of-concept exploit could retrieve 2FA codes and other sensitive data from emails accessible to Copilot.

Microsoft and other LLM providers have been unable to prevent their products from complying with malicious requests to reveal data. The root cause: AI bots are unable to distinguish between instructions provided by users and those snuck into third-party content the models are summarizing, drafting responses to, or using to perform other actions on behalf of the user. With no way to secure this crucial boundary, Microsoft and its peers are left to erect complicated and ad hoc guardrails designed to rein in the consequences of this incurable gullibility.

Jumping over guardrails

One guardrail built into Copilot and most other LLMs prevents them from submitting web forms, sending emails, and taking similar actions that can be used to exfiltrate data from the user. To work around this, LLM hackers turned to markup language, which, among other things, allows users to add formatting elements such as headings, lists, and links to text without the need for HTML tags. Another workaround is to wrap sensitive data inside HTML tags such as <img> and <form>. In either case, a web request showing the data hits the attacker’s web server, where the secret information is captured in logs.

Read full article

Comments

Microsoft's Build developer conference kicked off today, and as with almost everything the company has done in the last few years, Microsoft's opening keynote focused overwhelmingly on AI and other closely related technologies. There's Microsoft Scout, an OpenClaw-based "Autopilot" agent that can hook into Microsoft 365 data to perform tasks for users; several new AI models; an expanded preview of "Codename MDASH," which is a "multi-model agentic scanning system" meant to detect and fix software vulnerabilities.

A few of those announcements stood out to us as particularly interesting, either for esoteric technical reasons or because they seem like they may have some utility for those who aren't spending their every waking moment using generative AI tools. (Microsoft's recent efforts to make its flagship operating system faster, more reliable, more useful, and less annoying didn't really come up, but there have been plenty of other announcements on that front lately.)

On the hardware front, we didn't get any updates for existing Surface devices (not counting yesterday's Surface Laptop Ultra announcement), but we did get something new: the Surface RTX Spark Dev Box is "a compact developer PC" built around Nvidia's new RTX Spark chip with up to 128GB of built-in memory.

Read full article

Comments

In April, GitHub announced that it was moving subscribers from request-based billing to a usage-based model for its AI-powered Copilot service. As that new pricing model goes into effect today, many GitHub Copilot users are reporting some extreme sticker shock as they realize just how quickly their previous "normal" usage is burning through their newly limited monthly allotment of AI credits.

Across social media and forums, many Copilot users are sharing personal statistics showing how just a few hours of AI usage can now account for a large chunk of their new monthly subscription caps. For some users, it reportedly took less than a day to use up a month's usage quota.

That's a big change from previous months, when GitHub Copilot subscribers were allocated a certain number of "requests" and "premium requests" based on their payment tier. GitHub said that the old system meant that "a quick chat question and a multi-hour autonomous coding session [could] cost the user the same amount," forcing Copilot itself to "absorb much of the escalating inference cost behind that usage." Indeed, some Copilot users have been sharing estimates from GitHub's own tool showing that their previous monthly usage would rack up bills in the thousands of dollars under the new pricing plan.

Read full article

Comments