Jin 的个人思考

We don't need to hack your AI Agent to hack your AI Agent

⭐⭐⭐⭐⭐ 5星 • SRLabs Research • March 2026

Security researchers from SRLabs discovered that the most severe vulnerabilities in AI assistant deployments often have nothing to do with prompt injection — traditional Web security flaws can be enough to completely compromise AI systems.

Key Finding: A misconfigured Django debug flag created a direct path from an online AI agent to the personal and professional profile data of an organisation's entire workforce — without any AI-specific hacking.

The Attack Chain

  1. Public JS asset → Discover backend API URL embedded in JavaScript
  2. Unauthenticated GET request → Triggers Django debug error page
  3. Environment variables → Expose admin credentials (ADMIN_USERNAME, ADMIN_USER_PWD)
  4. Access Admin panel → Full Django admin access
  5. OAuth tokens → Live Microsoft Entra ID tokens in plaintext
  6. Microsoft Graph API → Access millions of employee profiles

What Was Exposed

  • Full API route listing — every endpoint the backend exposed
  • Application credentials stored as environment variables
  • System prompt contents — full initial instructions configuring the AI model's behaviour
  • All user conversations and uploaded files
  • OAuth tokens for Microsoft Entra ID
  • Access to millions of employee accounts
Why This Matters: The system prompt exposure is particularly significant — it often contains security-relevant assumptions, internal business logic, and architectural details useful for prompt injection attacks.

Why This Happens in AI Deployments

  • Speed pressure from management keeps focus on AI capabilities, leaving infrastructure as an afterthought
  • AI applications accumulate powerful credentials by design (document access, calendar access, identity tokens)
  • A single environment variable dump can expose access to systems beyond the application itself
  • Security thinking concentrated where attention is, not where exposure is

Key Takeaways

  1. Don't run with Django debug mode enabled in production
  2. AI-specific defenses (prompt injection protection) are meaningless if traditional infrastructure is compromised
  3. Environment variable hygiene is critical — they're often the keys to the kingdom
  4. OAuth tokens should never be stored or displayed in plaintext
  5. The attack chain uses only well-known, documented issues — none are novel

Original Article | Lobsters Discussion