- Pen Test Partners discovered flaws in Eurostar’s AI chatbot, including weak validation and HTML injection.
- Eurostar says customer data was never at risk; the vulnerabilities have since been mitigated
- Palo Alto warns that rapid adoption of AI expands cloud attack surfaces via misconfigurations and non-human identities
Eurostar’s recently introduced AI-based customer support chatbot was riddled with cybersecurity vulnerabilities that opened the door to a host of potential risks, experts have warned.
Pen Test Partners researchers found that the chatbot correctly validated only the most recent messages in a conversation, meaning older messages could be edited to contain a malicious prompt. This prompt can be virtually anything, from revealing system information to (possibly) exfiltrating sensitive customer data.
Fortunately, Eurostar did not connect its customer information database to the chatbot, so at the time of discovery there was no direct risk of a data leak.
“Customers were never at risk”
Experts discovered that there were also other weaknesses in the system, including chat and message IDs that were not properly verified, or an HTML injection flaw that allowed JavaScript to be executed directly in the chat window.
Pen Test Partners appears to be the first to have discovered these vulnerabilities: “No attempt was made to access the conversations or personal data of other users,” the researchers explain. “But the same design weaknesses could become much more serious as the chatbot’s functionality grows.”
Eurostar stressed that customer data was never at risk, saying City AM: “The chatbot had no access to other systems and above all no sensitive customer data was at risk. All data is protected by a customer identifier.”
Many companies are rushing to deploy AI tools. However, their rapid adoption is dramatically expanding cloud attack surfaces and exposing businesses to greater risks than ever before.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
