As organizations consider agentic AI for their business and IT stacks, researchers continue to find bugs and vulnerabilities in major, commercial modelsΒ that can significantly expand their attack surface.
This week, researchers at Pillar Security disclosed a vulnerability in Antigravity, an AI-powered developer tool for filesystem operations made by Google.
The bug, since patched, combined prompt injection with Antigravityβs permitted file-creation capability to grant attackers remote code execution privileges.
The research details how the exploit was able to circumvent Antigravityβs secure mode, Googleβs highest security setting for its agents that runs all command operations through a virtual sandbox environment, throttles network access and prohibits the agent from writing code outside of the working directory.
Secure mode is supposed to limit the AI agent access to sensitive systems β and its ability to execute malicious or dangerous acts through shell commands. But one of the file-searching tools used by Antigravity, called βfind_by_name,β is classified as a βnativeβ system tool. This means the agent can execute it directly and before protections like Secure Mode can even evaluate command level operations.
βThe security boundary that Secure Mode enforces simply never sees this call,β wrote Dan Lisichkin, an AI security researcher with Pillar Security. βThis means an attacker achieves arbitrary code execution under the exact configuration a security-conscious user would rely on to prevent it.β
The prompt injection attacks can be delivered through compromised identity accounts connected to the agent, or indirectly by hiding clandestine prompt instructions inside open-source files or web content the agent ingests. AntigravityΒ has trouble distinguishing between written data it ingests for context and literal prompt instructions, so compromise can be achieved without any elevated access by getting it to read a malicious document or file.
According to a disclosure timeline provided by Pillar Security, the bug was reported to Google on Jan. 6 and patched on Feb. 28, with Google awarding a bug bounty for the discovery.
Lisichkin said this same pattern of prompt injection through unvalidated input has been found in other coding AI agents like Cursor. In the age of AI, any unvalidated input can become a malicious prompt capable of hijacking internal systems.
βThe trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content,β he wrote.
The fact that the vulnerability was able to completely bypass Googleβs secure mode underscores how the cybersecurity industry must start adapting and βmove beyond sanitization-based controls.βΒ
βEvery native tool parameter that reaches a shell command is a potential injection point. Auditing for this class of vulnerability is no longer optional, and it is a prerequisite for shipping agentic features safely,β Lisichkin wrote.
The post Vuln in Googleβs Antigravity AI agent manager could escape sandbox, give attackers remote code execution appeared first on CyberScoop.
As a tester, I do all my work inside a Virtual Machine (VM). Recently, I found myself in a situation where I needed to get a VM on a Windows [β¦]
The post QEMU, MSYS2, and Emacs: Open-Source Solutions to Run Virtual Machines on Windows appeared first on Black Hills Information Security, Inc..
by Martin Pearson || Guest Author This article was originally published in the second edition of the InfoSec Survival Guide. Find it free online HERE or order your $1 physical [β¦]
The post Build a Home Lab: Equipment, Tools, and Tips appeared first on Black Hills Information Security, Inc..
Login