Copilot vulnerability let hackers steal 2FA codes
This digest was compiled by AI from multiple sources — links to the originals are below.

A critical vulnerability in Microsoft's Copilot, dubbed SearchLeak, allowed attackers to intercept two-factor authentication codes from users. The exploit bypasses security measures by manipulating the AI's search function, exposing sensitive data.
The SearchLeak Exploit
Researchers at Ars Technica discovered the SearchLeak vulnerability in Microsoft's Copilot, which leverages the AI's ability to search the web. By crafting specific prompts, attackers could trick Copilot into revealing 2FA codes sent via email or SMS. The exploit does not require user interaction, making it particularly dangerous.
Industry-Wide Implications
The flaw highlights recurring security failures in large language model (LLM) integrations. Microsoft has released a patch, but the incident underscores the challenge of securing AI systems that access real-time data. Similar vulnerabilities have been found in other AI assistants, including Google's Bard and OpenAI's ChatGPT.
What's Next
Microsoft is urging all Copilot users to update their software immediately. It remains unclear whether the patch fully addresses the underlying architectural issues that enabled SearchLeak.
1 source
Copilot vulnerability let hackers steal 2FA codes






