- AppOmni warns that ServiceNow’s Now Assist AI can be abused through “second-order rapid injection”
- Malicious agents with low privileges can recruit agents with higher privileges to extract sensitive data
- The risk arises from default settings; Mitigations include monitored execution, disabling overrides, and monitoring agents.
We’ve all heard of malicious insiders, but have you ever heard of malicious insider AI?
Security researchers at AppOmni are warning ServiceNow’s Now Assist generative artificial intelligence (GenAI) platform. can be hijacked to turn against the user and other agents.
Now Assist by ServiceNow is a platform that offers agent-to-agent collaboration. That means that an AI agent can turn to a different AI agent to do certain things. So, if the “primary” AI agent is malicious, they can tell the “secondary” agent, with higher privileges, to do harmful things, like steal sensitive files or escalate privileges.
Second order rapid injection
For example, a low-privileged “workflow classification agent” receives a malformed client request that triggers it to generate an internal task that requests a “full context export” of an ongoing case.
The task is automatically passed to a “Data Recovery Agent” with higher privileges, which interprets the request as legitimate and compiles a package containing sensitive information (names, phone numbers, account identifiers, and internal audit notes) and sends it to an external notification endpoint that is incorrectly trusted by the system.
Because both agents assume the other is acting legitimately, the data leaves the system without any human reviewing or approving the action.
However, for this to work, the Now Assist platform must be left at default settings.
“This discovery is alarming because it is not a bug in the AI; it is expected behavior defined by certain default configuration options,” said Aaron Costello, head of SaaS Security Research at AppOmni.
“When agents can discover and recruit each other, a harmless request can quietly turn into an attack, where criminals steal sensitive data or gain further access to the company’s internal systems. These setups are easy to miss.”
The vulnerability was called “second-order fast injection.”
While ServiceNow said the system is working as intended and will not be making any changes, it updated its documentation to indicate potential risks more clearly, The Hacker News reports.
To mitigate these threats, users are recommended to configure supervised execution mode for privileged agents, disable the autonomous override property, segment agent tasks by team, and monitor AI agents for suspicious behavior.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
