- AppOmni warns that ServiceNow's Now Assist AI can be abused through “second-order hint injection”
- Malicious agents with low privileges can recruit agents with higher privileges to steal sensitive data.
- The risk is associated with default configurations; Mitigations include controlled execution, disabling overrides, and monitoring agents.
We've all heard of malicious insiders, but have you ever heard of malicious insider AI?
Security researchers from AppOmni warning Generative Artificial Intelligence (GenAI) platform from ServiceNow Now Assist. can be intercepted and directed against the user and other agents.
ServiceNow's Now Assist is a platform that offers agent-to-agent collaboration. This means that an AI agent can call on another AI agent to perform certain tasks. Thus, if the “primary” AI agent is malicious, it can instruct a “secondary” agent with higher privileges to perform malicious actions, such as stealing sensitive files or escalating privileges.
Fast second order introduction
For example, a low-privileged “Workflow Triage Agent” receives a malformed client request that causes it to generate an internal task requesting a “full contextual export” of the current hit.
The task is automatically passed to a higher-privileged “Data Retrieval Agent,” which interprets the request as legitimate and compiles a packet containing sensitive information—names, phone numbers, account IDs, and internal audit notes—and sends it to an external notification endpoint that the system falsely trusts.
Because both agents assume that the other is acting legitimately, the data leaves the system without human review or approval of the action.
However, for this to work, the Now Assist platform must be left at its default settings.
“This discovery is alarming because it is not a bug in the AI; this is expected behavior determined by certain default configuration settings,” said Aaron Costello, head of SaaS security research at AppOmni.
“When agents can detect and recruit each other, an innocuous request can silently turn into an attack as criminals steal sensitive data or gain greater access to a company's internal systems. These settings are easy to miss.”
The vulnerability is called “second-order instantaneous injection.”
While ServiceNow said the system works as designed and won't be making any changes, it did update its documentation to more clearly outline the potential risks, The Hacker News reports.
To mitigate these threats, users are advised to configure controlled execution mode for privileged agents, disable the offline override property, segment agent responsibilities into groups, and monitor for suspicious behavior of AI agents.
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
