IBM AI（'Bob'）透過提示注入漏洞，可下載並執行惡意軟體

Solutions

Industries

Partners

Resources

Book a Demo

Threat Intelligence

IBM AI ('Bob') Downloads and Executes Malware

Notion AI: Unpatched Data Exfiltration

HN #4

HuggingFace Chat Exfiltrates Data

Screen takeover attack in AI tool acquired for $1B

Google Antigravity Exfiltrates Data

HN #1

CellShock: Claude AI is Excel-lent at Stealing Data

Hijacking Claude Code via Injected Marketplace Plugins

Data Exfiltration from Slack AI via Indirect Prompt Injection

HN #1

Data Exfiltration from Writer.com via Indirect Prompt Injection

HN #5

Case Study in OWASP for LLM Top 10

Case study in MITRE Atlas

Threat Intelligence

Table of Content

Table of Content

Table of Content

IBM AI ('Bob') Downloads and Executes Malware

IBM's AI coding agent 'Bob' has been found vulnerable to downloading and executing malware without human approval through command validation bypasses exploited using indirect prompt injection.

A vulnerability has been identified that allows malicious actors to exploit IBM Bob to download and execute malware without human approval if the user configures ‘always allow’ for any command.IBM Bob is IBM’s new coding agent, currently in Closed Beta. IBM Bob is offered through the Bob CLI (a terminal-based coding agent like Claude Code or OpenAI Codex) and the Bob IDE (an AI-powered editor similar to Cursor).In this article, we demonstrate that the Bob CLI is vulnerable to prompt injection attacks resulting in malware execution, and the Bob IDE is vulnerable to known AI-specific data exfiltration vectors.

In the documentation, IBM warns that setting auto-approve for commands constitutes a 'high risk' that can 'potentially execute harmful operations' - with the recommendation that users leverage whitelists and avoid wildcards. We have opted to disclose this work publicly to ensure users are informed of the acute risks of using the system prior to its full release. We hope that further protections will be in place to remediate these risks for IBM Bob's General Access release.

The Attack Chain

The user wants to explore a new repository - they ask Bob for help.

Bob encounters an instruction at the bottom of the README that manipulates it into believing it is responsible for conducting a phishing training to test the user.

Bob prompts the user several times with benign ‘echo’ commands; after the third time, the user selects ‘always allow’ for execution of ‘echo’.

Bob attempts to ‘test’ the user as part of the training by offering a dangerous command. However, the command has been specially crafted to bypass built-in defenses, so it executes immediately, installing and running a script retrieved from an attacker’s server.

Bob has three defenses that are bypassed in this attack

When a multi-part command is requested (using operators like ‘;’), the user is shown a request that asks for permission to run each sub-command.

Note, this modal says: ‘Allow execution of echo, cat’.

This is bypassed because the defense system fails to identify separate sub-commands when they are chained using a redirect operator (>).

Note, this modal only mentions: ‘Allow execution of echo’.

Bob prohibits the use of command substitution like $(command) as a security measure.

However, even though the security message says it's restricted, the underlying code fails to adequately restrict evaluation via process substitution: >(command).

This allows for the output of the malicious sub-command that retrieves the malware to be used as the input for the sub-command to execute that malware. One can examine where the defense should have been in the minified JS source code:

By pre-fixing the malicious command with a benign ‘echo’, which the user has selected ‘always approve’ for, the user inadvertently auto-approves the entire malicious payload (since bypasses 1 and 2 prevent the payload from being recognized as separate commands).

Impact

With the ability to deliver an arbitrary shell script payload to the victim, attackers can leverage known (or custom) malware variants to conduct cyber attacks such as:

Executing ransomware that encrypts or deletes files

Credential theft or spyware deployment

Device takeover (opening a reverse shell)

Forcing the victim into a cryptocurrency-mining botnet

Together, these outcomes demonstrate how a prompt injection can escalate into a full-scale compromise of a user’s machine through vulnerabilities in the IBM Bob CLI.

Further Findings

Additional findings indicate that the Bob IDE is susceptible to several known zero-click data exfiltration vectors that affect many AI applications:

Markdown images are rendered in model outputs, with a Content Security Policy that allows requests to endpoints that can be logged by attackers (storage.googleapis.com).Here is an interesting spin on the typical Markdown image attack where, beyond just exfiltrating data from query parameters as the image is rendered, the image itself is hyperlinked and made to pose as a button - used for phishing.

Mermaid diagrams supporting external images are rendered in model outputs, with a Content Security Policy that allows requests to endpoints that can be logged by attackers (storage.googleapis.com).

JSON schemas are pre-fetched, which can yield data exfiltration if a dynamically generated attacker-controlled URL is provided in the field (this can happen before a file edit is accepted).

On this page

Label