1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Thousands of GitHub repositories exposed via Microsoft Copilot

    From TechnologyDaily@1337:1/100 to All on Thu Feb 27 15:45:07 2025
    Thousands of GitHub repositories exposed via Microsoft Copilot

    Date:
    Thu, 27 Feb 2025 15:29:00 +0000

    Description:
    Copilot has access to Bing's cache, but Microsoft isn't too worried.

    FULL STORY ======================================================================Copilot has access to private GitHub repositories, researchers found The repositories were public at some point, and Bing cached them The caching behavior is "acceptable" says Microsoft

    Thousands of private GitHub repositories, some of which possibly contained credentials and other secrets, are being exposed through Microsoft Copilot, the companys Generative Artificial Intelligence (GenAI) virtual assistant, experts have warned.

    Cybersecurity researchers from Lasso reported their findings to Microsoft but got a mixed response.

    Lasso is a cybersecurity company focusing on threats emerging from the use of new AI tools, and reported Copilot was able to retrieve one of its own GitHub repositories which should have been private and inaccessible on the wider internet. Indeed, navigating directly to GitHub returns a page not found error. However, at one point the team mistakenly left the repository public for a short period of time - long enough for Microsofts Bing search engine to index it. That allowed Copilot access to the data, even though it shouldnt have. Severe implications

    Lasso further investigated, compiling a list of tens of thousands of repositories that were public at one point, and set to private today, finding more than 20,000 which can still be accessed through Copilot, belonging to tens of thousands of organizations, including some of the technology sectors biggest players.

    The implications of the findings could be quite severe. Speaking to
    TechCrunch , Lassos co-founder Ophir Dror said it used the flaw to retrieve a GitHub that hosted a tool allowing them to create offensive and harmful AI images using MIcrosofts cloud AI service. Different company secrets could
    also be exposed this way, prompting Dror to advise victims to rotate or
    revoke their keys .

    Microsoft allegedly told the company that the issue is low severity and that the caching behavior was acceptable. However, as of December 2024, Microsoft no longer includes links to Bings cache in its search results. Copilot can still access the data. You might also like We've rounded up the best password managers Take a look at our guide to the best authenticator app Orange confirms it suffered breach after hacker leaks company documents



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/thousands-of-github-repositories-expose d-via-microsoft-copilot


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)