logoalt Hacker News

jofzartoday at 7:12 AM3 repliesview on HN

> Responsible Disclosure GitLost was responsibly disclosed to GitHub. Vulnerability details are shared here with their knowledge.

Why does this section not have when it was fixed or GitHub acknowledge/rejected this?

Did they not fix this?


Replies

Gigachadtoday at 7:52 AM

This isn’t a normal software bug, it’s not fixable in the same way you can’t fix regular support staff from being tricked.

The answer is you should not allow LLMs access to untrusted input and sensitive data at the same time.

show 1 reply
dzikimariantoday at 7:29 AM

Fix what? They setup LLM with access to private data and ability to read public comments. That's simply misconfiguration.

show 1 reply
jofzartoday at 10:25 AM

Actually op, can you clarify if you did this with the below setting on? There is a literal setting to stop this so I'm curious if this was created because of this report or if this is just negligence from the reporter to not add this as a comment.

https://github.github.com/gh-aw/reference/cross-repository/#...