Eurostar chatbot security flaws almost left customers exposed to data theft

Eurostar chatbot security flaws almost left customers exposed to possible security threats News Sead Fadilpašić published Security researchers found multiple vulnerabilities on Eurostar platform Pen Test Partners found flaws in Eurostar’s AI chatbot, including weak validation and HTML injection Eurostar says customer data was never at risk; vulnerabilities have since been mitigated Palo Alto warns rapid AI adoption expands cloud attack surfaces via misconfigurations and non‐human identities Eurostar's recently-introduced AI-powered customer support chatbot was marred with cybersecurity vulnerabilities that opened the doors to a multitude of potential risks, experts have warned. Researchers at Pen Test Partners discovered the chatbot properly validated only the most recent messages in a conversation, meaning older messages could be altered to contain a malicious prompt. That prompt could be virtually anything, from revealing system information, to (possibly) exfiltrating sensitive customer data. Luckily, Eurostar did not connect its customer information database with the chatbot, so at the time of discovery, there was no direct risk of data leakage happening. "Customers were never at risk" The expers found there were other weaknesses in the system, as well, including conversation and message IDs that weren’t properly verified, or an HTML injection flaw that enables running JavaScript directly in the chat window. Pen Test Partners seem to be the first to have discovered these vulnerabilities: “No attempt was made to access other users’ conversations or personal data”, the researchers explained. “But the same design weaknesses could become far more serious as chatbot functionality expands”. Eurostar emphasized customer data was never at risk, telling City AM : “The chatbot did not have access to other systems and more importantly no sensitive customer data was at risk. All data is protected by a customer login.” Many businesses are rushing to deploy AI tools , however, rapid enterprise adoption is significantly expanding cloud attack surfaces and putting businesses at more risk than ever before. Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! ➡️ Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too. Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications. You must confirm your public display name before commenting Please logout and then login again, you will then be prompted to enter your...

Preview: ~500 words