- Pen Test Partners found flaws in Eurostar’s AI chatbot, including weak validation and HTML injection
- Eurostar says customer data was never at risk; vulnerabilities have since been patched
- Palo Alto warns that rapid AI adoption is expanding cloud attack surfaces via misconfigurations and non-human identities
Eurostar’s recently introduced AI-powered customer support chatbot was marred with cyber security vulnerabilities that opened the door to a host of potential risks, experts have warned.
Researchers at Pen Test Partners discovered that the chatbot only correctly validated the most recent messages in a conversation, meaning older messages could be altered to contain a malicious prompt. This prompt can be pretty much anything, from revealing system information to (possibly) exfiltrating sensitive customer data.
Fortunately, Eurostar did not connect its customer information database to the chatbot, so at the time of discovery there was no direct risk of data leakage.
“The customers were never in danger”
The experts found that there were also other weaknesses in the system, including conversation and message IDs that were not properly verified, or an HTML injection flaw that allows JavaScript to be executed directly in the chat window.
Pen Test Partners appears to be the first to discover these vulnerabilities: “No attempt was made to access other users’ conversations or personal data,” the researchers explained. “However, the same design weaknesses can become far more serious as chatbot functionality expands”.
Eurostar stressed that customer data was never at risk By AM: “The chatbot did not have access to other systems, and more importantly, no sensitive customer data was at risk. All data is protected by a customer login.”
Many companies are rushing to implement AI tools, but rapid enterprise adoption is significantly expanding cloud attack surfaces and putting companies at greater risk than ever before.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
