autonomous-exploitation ×

autonomous-exploitation

new top best new & best

quality: all 6+ 8+

AI Agent hacked McKinsey's chatbot and gained full read-write access in 2 hours

A CodeWall security research team deployed an autonomous AI agent that discovered and exploited a SQL injection vulnerability in McKinsey's internal Lilli chatbot platform, gaining full read-write database access within 2 hours by chaining unauthenticated API endpoints and error-based SQL injection, exposing 46.5 million chat messages and system prompts. The agent identified publicly exposed API documentation, detected SQL injection via error message reflection, and could have poisoned system prompts with a single UPDATE statement.

sql-injection ai-agent-attack red-team authentication-bypass api-security database-access prompt-injection responsible-disclosure unauthenticated-endpoints error-based-sql-injection llm-security autonomous-exploitation

theregister.com · smurda· 25 days ago · 9 min · vulnerability · details · hn 34