A vulnerability in GitHub Codespaces allowed attackers to inject malicious Copilot instructions via GitHub issues, enabling passive prompt injections that could leak a userβs GITHUB_TOKEN and enable repository takeover. Orca Security named the technique RoguePilot and demonstrated how hidden HTML comments, repository symlinks, and automatic JSON schema downloads could be chained to exfiltrate credentials; GitHub patched the flaw after notification. #RoguePilot #GitHubCodespaces
Keypoints
- An issue-based prompt injection could manipulate Copilot in a Codespace to perform unauthorized actions.
- RoguePilot leverages hidden HTML comments in issue descriptions to hide malicious instructions from human reviewers.
- Attackers can exploit repository symbolic links and VS Codeβs automatic JSON $schema downloads to exfiltrate data.
- The exploit enabled Copilot to create a JSON file containing a leaked GITHUB_TOKEN without explicit user approval.
- Orca Security disclosed the chain-of-abuse to GitHub, which subsequently patched the vulnerability.
Read More: https://www.securityweek.com/github-issues-abused-in-copilot-attack-leading-to-repository-takeover/