Google Fixes AI Coding Tool Flaw That Let Attackers Execute Malicious Code: Report

Google has patched a vulnerability successful its Antigravity AI coding level that researchers accidental could let attackers to tally commands connected a developer’s instrumentality done a prompt injection attack.

According to a report by Cybersecurity steadfast Pillar Security, the flaw progressive Antigravity’s find_by_name record hunt tool, which passed idiosyncratic input straight to an underlying command-line inferior without validation. That allowed malicious input to person a record hunt into a bid execution task, enabling distant codification execution.

“Combined with Antigravity's quality to make files arsenic a permitted action, this enables a afloat onslaught chain: signifier a malicious script, past trigger it done a seemingly morganatic search, each without further idiosyncratic enactment erstwhile the punctual injection lands,” Pillar Security researchers wrote.

Launched past November, Antigravity is Google’s AI-powered improvement situation designed to assistance programmers write, test, and negociate codification with the assistance of autonomous bundle agents. Pillar Security disclosed the contented to Google connected January 7, and Google acknowledged the study the aforesaid day, marking the contented arsenic fixed connected February 28.

Google did not instantly respond to a petition for remark by Decrypt.

Prompt injection attacks hap erstwhile hidden instructions embedded successful contented origin an AI strategy to execute unintended actions. Because AI tools often process outer files oregon substance arsenic portion of mean workflows, the strategy whitethorn construe those instructions arsenic morganatic commands, allowing an attacker to trigger actions connected a user’s instrumentality without nonstop entree oregon further interaction.

The menace of punctual injection attacks for ample connection models came into renewed absorption past summertime erstwhile ChatGPT developer OpenAI warned that its caller ChatGPT cause could beryllium compromised.

“When you motion ChatGPT cause into websites oregon alteration connectors, it volition beryllium capable to entree delicate information from those sources, specified arsenic emails, files, oregon relationship information,” OpenAI wrote successful a blog post.

To show the Antigravity issue, the researchers created a trial publication wrong a task workspace and triggered it done the hunt tool. When executed, the publication opened the computer’s calculator application, showing that the hunt relation could beryllium turned into a bid execution mechanism.

“Critically, this vulnerability bypasses Antigravity's Secure Mode, the product's astir restrictive information configuration,” the study said.

The findings item a broader information situation facing AI-powered improvement tools arsenic they statesman to execute tasks autonomously.

“The manufacture indispensable determination beyond sanitization-based controls toward execution isolation. Every autochthonal instrumentality parameter that reaches a ammunition bid is simply a imaginable injection point,” Pillar Security said. “Auditing for this people of vulnerability is nary longer optional, and it is simply a prerequisite for shipping agentic features safely.”