Researchers identified vulnerabilities in six AI coding assistants that could allow malicious repositories to run arbitrary code on developers' machines. Exploiting symbolic links, attackers can manipulate the approval process of these tools, bypassing the user's consent and potentially leading to unauthorized access to sensitive files.
Wiz, a cybersecurity research firm, uncovered that six popular AI coding assistants are susceptible to a flaw they term 'GhostApproval'. This vulnerability can allow malicious code projects to gain control of a developer's machine by misleading the tools into granting file access without proper consent. The issue predominantly arises from the failure to check symbolic links (symlinks) during the approval process.
The attackers can create a malicious repository that contains a symlink which points to sensitive files, such as the user's SSH login file. When the developer requests the tool to make changes, the assistant writes to the symlink, inadvertently allowing the attacker to insert their own SSH key into critical files. There are also variations that can modify shell startup files.
The breakdown occurs in the approval interface of the AI tools, which presents misleading information to the user. For instance, the confirmation box may only reference a benign file, thus misleading users into believing they are not risking sensitive information. Wiz refers to this as an informed-consent bypass. Furthermore, some tools, like Windsurf, fail to prompt user approval before performing potentially harmful actions, exacerbating the issue.
As of now, three of the identified tools have provided fixes for the vulnerabilities, while two are still unpatched. Anthropic, the developer of Claude Code, disputes that this is a bug, despite Wiz's claims.
This research underscores the critical necessity for developers to recognize that sophisticated vulnerabilities can exploit common development tools. Developers should exercise caution and verify the actions of AI coding assistants, especially regarding file permissions and write operations.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Researchers identified vulnerabilities in six AI coding assistants that could allow malicious repositories to run arbitrary code on developers' machines. Exploiting symbolic links, attackers can manipulate the approval process of these tools, bypassing the user's consent and potentially leading to unauthorized access to sensitive files.