19
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 04 May 2025
19 points (100.0% liked)
TechTakes
1883 readers
164 users here now
Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.
This is not debate club. Unless it’s amusing debate.
For actually-good tech, you want our NotAwfulTech community
founded 2 years ago
MODERATORS
Here’s a fun one… Microsoft added copilot features to sharepoint. The copilot system has its own set of access controls. The access controls let it see things that normal users might not be able to see. Normal users can then just ask copilot to tell them the contents of the files and pages that they can’t see themselves. Luckily, no business would ever put sensitive information in their sharepoint system, so this isn’t a realistic threat, haha.
Obviously Microsoft have significant resources to research and fix the security problems that LLM integration will bring with it. So much money. So many experts. Plenty of time to think about the issues since the first recall debacle.
And this is what they’ve accomplished.
https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sharepoint/
@rook @BlueMonday1984 wow. Why go to all the trouble of social engineering a company when you can just ask Copilot?
@rook @BlueMonday1984 Maybe they have asked CoPilot to write the code that restricts access for CoPilot?
(Sometimes this future feels like 2001 A Space Odyssey, just as a farce. And without benevolent aliens.)
@rook @BlueMonday1984
Thankfully I'm able to say "what is sharepoint?"
I did meet it once. A client used it in their office. But when they wanted us offshore (via satellite link) to contribute to it, it became awfully unstable, probably because of latency/ unstable data links.
It's M$. I doubt it has improved.
Abusing privileged identities like this to do things is apparently a thing the younger hackers are quite good at so this will all be fun.
Is that this one or a different instance of the same bug?
I think that these are different products? I mean, the underlying problem is the same, but copilot studio seems to be “configure your own llm front-end” and copilot for sharepoint seems to be an integration made by the sharepoint team themselves, and it does make some promises about security.
Of course, it might be exactly the same thing with different branding slapped on top, and I’m not sure you could tell without some inside information, but at least this time the security failures are the fault of Microsoft themselves rather than incompetent third party folk. And that suggests that copilot studio is so difficult to use correctly that no-one can, which is funny.