- The co -pilot has access to Github’s private repositories, the researchers found
- The repositories were public at some point, and Bing stored them in cache
- Cache storage behavior is “acceptable,” says Microsoft
Thousands of Github private repositories, some of which possibly contain credentials and other secrets, are exposed through Microsoft Copilot, the company’s generative virtual assistant of artificial intelligence (Genai) of the company, experts have warned.
Lasso’s cybersecurity researchers reported their findings to Microsoft, but obtained a mixed response.
Lasso is a cybersecurity company that focuses on the threats that arise from the use of new AI tools, and the informed co -driver was able to recover one of its own github repositories that should have been private and inaccessible on the broadest internet. In fact, sailing directly to Github returns a “page not found” error. However, at one point, the team mistakenly left the public repository for a short period of time, the long time for the Microsoft Bing search engine to index. That allowed co -pilot access to the data, although it should not have done so.
Severe implications
Lasso further investigated, compiling a list of tens of thousands of repositories that were public at one time, and settled in private today, finding more than 20,000 that can still be accessed through Copilot, belonging to tens of thousands of organizations, including some of the largest actors in the technological sector.
The implications of the findings could be quite serious. Talking with TechcrunchThe co -founder of Lasso, Ophir Dor, said he used the defect to recover a github that housed a tool that allowed them to create images of “offensive and harmful” using the Microsoft cloud service. The different secrets of the company could also be exposed in this way, which leads Dror to advise victims to rotate or revorate their keys.
Microsoft supposedly told the company that the problem is “low severity” and that cache storage behavior was “acceptable.” However, as of December 2024, Microsoft no longer includes bing cache links in its search results. The co -pilot can still access the data.
