“Sadly, due to the pure language nature of immediate injections, blocking them utilizing classifiers or any form of blacklisting isn’t sufficient,” they stated of their report. “There are simply too some ways to jot down them, hiding them behind benign matters, utilizing completely different phrasings, tones, languages, and many others. Identical to we don’t contemplate malware fastened as a result of one other pattern made it right into a deny record, the identical is true for immediate injection.”
Hijacking Cursor coding assistant through Jira tickets
As a part of the identical analysis effort, Zenity additionally investigated Cursor, one of the vital well-liked AI-assisted code editors and IDEs. Cursor can combine with many third-party instruments, together with Jira, one of the vital well-liked venture administration platforms used for concern monitoring.
“You’ll be able to ask Cursor to look into your assigned tickets, summarize open points, and even shut tickets or reply mechanically, all from inside your editor. Sounds nice, proper?” the researchers stated. “However tickets aren’t at all times created by builders. In lots of corporations, tickets from exterior methods like Zendesk are mechanically synced into Jira. Which means an exterior actor can ship an electronic mail to a Zendesk-connected assist handle and inject untrusted enter into the agent’s workflow.”
