Critical Flaw Discovered in Microsoft’s New AI Web Protocol NLWeb
Critical Flaw Discovered in Microsoft’s New AI Web Protocol NLWeb
Microsoft’s ambitious new AI web protocol, NLWeb, designed to bring ChatGPT-like search capabilities to any website, has been hit with a critical security vulnerability just months after its unveiling. Researchers discovered a path traversal flaw, allowing remote users to easily access sensitive files, including system configurations and crucial OpenAI or Gemini API keys. This vulnerability poses a significant risk, potentially enabling attackers to steal an AI agent’s “cognitive engine” and lead to substantial financial losses or the creation of malicious clones.
The flaw, reported to Microsoft on May 28th, led to a patch being issued on July 1st. However, security researchers Aonan Guan and Lei Wang are urging Microsoft to issue a Common Vulnerabilities and Exposures (CVE) identifier, a standard industry practice for classifying and tracking vulnerabilities. Microsoft has stated the issue was responsibly reported and fixed in its open-source repository, claiming its own products do not use the impacted code. Still, experts warn that any public-facing NLWeb deployments remain vulnerable if not updated.
This incident serves as a stark reminder of the security challenges inherent in developing new AI-powered systems. It highlights the necessity for tech giants like Microsoft to balance rapid innovation with rigorous security protocols, especially as they integrate AI into core web functionalities.
Disclaimer: This content is aggregated from public sources online. Please verify information independently. If you believe your rights have been infringed, contact us for removal.