- AppOmni warns that ServiceNow’s Now Assist AI can be abused via ‘rapid second-order injection’
- Low-privileged malicious agents can recruit more privileged agents to exfiltrate sensitive data.
- The risk comes from default configurations; mitigations include supervised execution, disabling overrides, and agent monitoring
We’ve all heard of malicious insiders, but have you ever heard of malicious insider AI?
AppOmni security researchers warn against ServiceNow’s Now Assist generative artificial intelligence (GenAI) platform. can be misused to turn against the user and other agents.
Now Assist from ServiceNow is a platform that offers agent-to-agent collaboration. This means that an AI agent can call on another AI agent to accomplish certain things. So if the “primary” AI agent is malicious, it can ask the “secondary” agent, with higher privileges, to do harmful things, like steal sensitive files or escalate privileges.
Rapid second-order injection
For example, a low-privilege “workflow triage agent” receives a malformed client request that triggers it to generate an internal task requesting a “full context export” of a current case.
The task is automatically forwarded to a higher-privileged “data recovery agent,” which interprets the request as legitimate and compiles a package containing sensitive information (names, phone numbers, account IDs, and internal audit notes) and sends it to an external notification endpoint that the system mistrusts.
Because both agents assume the other is acting legitimately, data leaves the system without any human reviewing or approving the action.
However, for this to work, the Now Assist platform must remain in its default configuration.
“This finding is alarming because this is not an AI bug; it is expected behavior as defined by certain default configuration options,” said Aaron Costello, head of SaaS security research at AppOmni.
“When agents can discover and recruit each other, a harmless request can quietly turn into an attack, with criminals stealing sensitive data or gaining more access to internal company systems. These settings are easy to overlook.”
The vulnerability has been dubbed “rapid second-order injection.”
Although ServiceNow said the system works as expected and it won’t make any changes, it has updated its documentation to more clearly indicate potential risks, The Hacker News reports.
To mitigate these threats, users are advised to configure supervised execution mode for privileged agents, disable the standalone override property, segment agent tasks by team, and monitor AI agents for suspicious behavior.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
