This AI security flaw might be impossible to fix

A website called "UK visa portal" has been quietly collecting passport scans, selfies, and personal data from thousands of travellers who thought they were applying through official channels. They weren't. And when a journalist tried to warn the company, it was lawyers who responded.

Meanwhile, a paper from Cornell suggests that prompt injection - the technique malicious actors use to trick AI agents into doing things they really shouldn't - may be fundamentally unsolvable. Which is err... awkward, because everyone is rushing to plug AI agents into their email, files, and corporate networks.

Plus don't miss our featured interview with Andrea Sivieri of CoreView, who tells us how hackers can lock your entire organisation out of its Microsoft 365 environment... without having to trick you into running a single piece of malicious code or handing over a password.

All this and more in episode 470 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Tanya Janca.

EPISODE LINKS:

• Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked - 404 Media.
• Canon Printer Vulnerability Leaks Plaintext Credentials - Praetorian.
• Password manager Dashlane says hackers stole some customers' password vaults - TechCrunch.
• UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us - TechCrunch.
• AI Agents May Always Fall for Prompt Injections - ArXiv.
• MCP Security Crisis: Systemic Design Flaws in AI Agent Infrastructure - Cloud Security Alliance.
• From Preventive to Reactive: How AI Coding Assistants Transform Developers' Security Awareness - ArXiv.
• Design details that feel like magic - Design Spells.
• Singing lessons.
• Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SPONSORS:

• Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
• CoreView - How secure is your Microsoft 365 tenant? Find out with CoreView's free Microsoft 365 Tenant Security Scanner.
• ESET - 30 years of threat research behind unique global telemetry, AI-native technology, and human expertise working together to keep your business protected.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy