Cuberk

A tech company integrated an AI chatbot into its website and product documentation to boost engagement, enhance user experience and automate support queries. The chatbot was designed to fetch live data from internal APIs, without proper isolation or access controls.

During our security audit, we discovered a prompt injection vulnerability that allowed us to bypass restrictions, access internal systems, and capture sensitive Bearer tokens used to authorise API communication.

Exploitation Scenario

1. Sent a crafted prompt to jailbreak the chatbot and extracted internal technical information.

   

   Injected prompt crafted to bypass the chatbot's restrictions and response revealing internal configuration and system-level details.

2. Instructed the chatbot to send HTTP requests to our controlled server.

   

   Chatbot making a request to an attacker-controlled domain.

3. Captured Bearer tokens from the request headers, allowing unauthorized access.

   

   Bearer token captured via HTTP logs on attacker server.

Key Takeaways

• AI adoption is valuable, but secure AI adoption is critical
• If your AI chatbot is fetching data or making decisions, make sure it's treated like any other trusted internal actor, and test it rigorously for new attack vectors.
• Prompt injection is a serious and often underestimated risk.

Recommendation

• Treat AI chatbots as privileged internal users, not as external widgets.
• Implement a middleware (proxy) layer to sanitise and monitor all chatbot-initiated requests.
• Tokens should be scoped and time-limited.
• AI features must be included in routine security testing, especially for injection flaws.

Disclaimer

This case study is shared for educational purposes only. All findings were responsibly disclosed to the affected client. No unauthorised access to real user data was performed.