Are Copilot Prompt Injection Flaws Vulnerabilities Or AI Limits?

Microsoft has pushed back against claims that multiple prompt injection and sandbox-related issues raised by a security engineer in its Copilot AI assistant constitute security vulnerabilities.

The development highlights a growing divide between how vendors and researchers define risk in generative AI systems.

"Last month, I discovered 4 vulnerabilities in Microsoft Copilot. They've since closed my cases stating they do not qualify for serviceability," posted cybersecurity engineer John Russell on LinkedIn.

Specifically, the issues disclosed by Russell and later dismissed by Microsoft as not qualifying as security vulnerabilities include:

Of these, the file upload restriction bypass is particularly interesting. Copilot may not generally allow "risky" file formats from being uploaded. But, users can simply encode these into base64 text strings and workaround the restriction.

"Once submitted as a plain text file, the content passes initial file-type checks, can be decoded within the session, and the reconstructed file is subsequently analyzed — effectively circumventing upload policy controls," explains Russell.

A debate quickly ensued on the engineer's post with the security community offering diverse opinions.

Raj Marathe, a seasoned cybersecurity professional, nodded to the validity of the findings, citing a similar issue he said he had observed in the past:

"I witnessed a demonstration last year where prompt injection was hidden in a Word document and uploaded to Copilot. When Copilot read the document, it went berserk and locked out the user. It wasn't visible or white-worded but cleverly disguised within the document. I have yet to hear if that person heard back from Microsoft regarding the finding."

However, others questioned whether system prompt disclosure should be considered a vulnerability at all.

Source: BleepingComputer