Eurostar chatbot security flaws almost left customers exposed to possible security threats

Researchers at Pen Test Partners discovered the chatbot properly validated only the most recent messages in a conversation, meaning older messages could be altered to contain a malicious prompt. That prompt could be virtually anything, from revealing system information, to (possibly) exfiltrating sensitive customer data.

Luckily, Eurostar did not connect its customer information database with the chatbot, so at the time of discovery, there was no direct risk of data leakage happening.

"Customers were never at risk"

The expers found there were other weaknesses in the system, as well, including conversation and message IDs that weren’t properly verified, or an HTML injection flaw that enables running JavaScript directly in the chat window.

Pen Test Partners seem to be the first to have discovered these vulnerabilities: “No attempt was made to access other users’ conversations or personal data”, the researchers explained. “But the same design weaknesses could become far more serious as chatbot functionality expands”.

Eurostar emphasized customer data was never at risk, telling City AM: “The chatbot did not have access to other systems and more importantly no sensitive customer data was at risk. All data is protected by a customer login.”

Many businesses are rushing to deploy AI tools, however, rapid enterprise adoption is significantly expanding cloud attack surfaces and putting businesses at more risk than ever before.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.