edison.watch

8 months ago

@Eito_Miyamura @comet @perplexity_ai bankrupcy be like

106

edison_watch retweeted

8 months ago

Perplexity @comet AI Agent just bankrupted your company 💀💀 Go from $1M->0M ARR with this one simple trick Jokes aside, this month @perplexity_ai opened up access to their AI Agent browser, @comet - with native connections that can read your apps like Email, Calendar, Notion, etc. Comet's tagline is "The browser that works for you" - this is true, until it starts working for a malicious attacker. With just your email, we managed to bankrupt your company. Here's how we did it: 1. The attacker sends a calendar invite with a jailbreak prompt to the victim, just with their email. No need for the victim to accept the invite. 2. Waited for the user to ask Comet to access their calendar 3. Comet reads the jailbroken calendar invite. Now, Comet is hijacked by the attacker and will act on the attacker's command. It controls the browser and deletes all customers. To be fair, you can see the reasoning traces of Comet mentioning their plan to delete all customers on Stripe, so you can stop it before disaster. But the context switch from "check my accounting event today" to bankrupting your company without any mention until the final step highlights the dangers of LLMs, especially if you tab out while waiting for the LLM. Remember that AI might be super smart, but it can be tricked and phished in incredibly dumb ways to leak your data. These LLM hijack problems are what we're looking to solve in @edison_watch - Jailbreaks are inevitable, but data leaks shouldn't be. Open source LLM leashes with deterministic blocking isn't by tracking context I/O trust assumptions. see 👇 for how to protect yourself from these attacks

8 months ago

@Eito_Miyamura AI Exploits

edison_watch retweeted

8 months ago

Cursor + Github MCP can lead to private keys being leaked 💀 Not just Cursor, though. All AI IDEs are vulnerable to this type of attack. The fundamental problem: AI agents on Cursor follow your commands, not your common sense. With an unsuspecting GitHub issue, we managed to exfiltrate all private keys. Here's how the exploit works: 1. The attacker submits a GitHub issue that looks legit with a jailbreak prompt at the bottom. 2. Waited for the victim to ask Cursor to look through the GitHub issues for a given repo 3. Cursor reads the jailbroken GitHub issue. Now the Cursor is hijacked by the attacker and will act on the attacker's command. Can search your ENTIRE codebase and send the sensitive data (code, private keys) to the GitHub issue, open for the attacker to steal. Cursor has tried its best to protect this and requires manual human approvals for every action the agent takes. But decision fatigue is a real thing, and as the coding agents improve, people are starting to trust the agents blindly, turn on "YOLO mode", or just click approve, approve, approve. This is why we built OpenEdison by @edison_watch: The open source AI Agent Firewall. Let your agent run YOLO securely, let the agent do work. We block/warn the dangerous MCP calls, only when strictly necessary to avoid decision fatigue. Remember that AI might be super smart, but it can be tricked and phished in incredibly dumb ways to leak your data. Cursor + MCP poses a serious security risk if developers are not careful 🤔 Curious about more real-world AI exploits that could happen to YOU? We have a list of AI exploits with common MCP connectors. Comment "AI Exploits" to get access to the private list and learn how to keep yourself safe!

9 months ago

@Eito_Miyamura Firewall your data

edison_watch retweeted

9 months ago

Introducing OpenEdison by @edison_watch, the AI Agent Firewall Agents + Tools/MCP = Data leak risk OpenEdison is an OSS firewall that deterministically blocks data exfiltration & dangerous agent action, even if jailbroken. 👇 comment your MCP use, I'll dm how risky your use is

10K

edison_watch retweeted

10 months ago

We got ChatGPT to leak your private email data 💀💀 All you need? The victim's email address. ⛓️‍💥🚩📧 On Wednesday, @OpenAI added full support for MCP (Model Context Protocol) tools in ChatGPT. Allowing ChatGPT to connect and read your Gmail, Calendar, Sharepoint, Notion, and more, invented by @AnthropicAI But here's the fundamental problem: AI agents like ChatGPT follow your commands, not your common sense. And with just your email, we managed to exfiltrate all your private information. Here's how we did it: 1. The attacker sends a calendar invite with a jailbreak prompt to the victim, just with their email. No need for the victim to accept the invite. 2. Waited for the user to ask ChatGPT to help prepare for their day by looking at their calendar 3. ChatGPT reads the jailbroken calendar invite. Now ChatGPT is hijacked by the attacker and will act on the attacker's command. Searches your private emails and sends the data to the attacker's email. For now, OpenAI only made MCPs available in "developer mode", and requires manual human approvals for every session, but decision fatigue is a real thing, and normal people will just trust the AI without knowing what to do and click approve, approve, approve. Remember that AI might be super smart, but can be tricked and phished in incredibly dumb ways to leak your data. ChatGPT + Tools poses a serious security risk

304

Jason ✨👾SaaStr.Ai✨ Lemkin

10 months ago

@Eito_Miyamura @OpenAI Agents failing all the time

edison_watch retweeted

Check Point Software

@CheckPointSW

11 months ago

🚨 MCPoison: CVE-2025-54136 @_CPResearch_ found a persistent RCE flaw in @cursor_ai's IDE — one approval, silent exploitation, repeated access. AI tooling just met a serious trust issue. 🔗 Read the full breakdown: https://t.co/Hdrpdtf45R #CyberSecurity #cursor

edison_watch retweeted

@jasonlk

11 months ago

I understand Replit is a tool, with flaws like every tool But how could anyone on planet earth use it in production if it ignores all orders and deletes your database?

jasonlk's tweet photo. I understand Replit is a tool, with flaws like every tool

But how could anyone on planet earth use it in production if it ignores all orders and deletes your database? https://t.co/gwsjowBk7J

840

107

198K