Critical vulnerability in Lenovo chatbot allowed to steal cookies and run malicious code

 Lenovo’s AI chatbot Lena had XSS vulnerabilities that allowed attackers to inject malicious code, steal cookies, and gain access to the company’s internal support systems through a single prompt.

Lenovo launched the Lena chatbot based on GPT-4 to help customers, but the lack of input and output validation turned it into a potential threat. The researchers were able to force the chatbot to generate HTML responses with hidden instructions. This allowed the browser to automatically send cookies to the attackers’ server, and also created a path to Lenovo’s internal support system.

All it took was a 400-character prompt with four stages: requesting legitimate information, changing the response format, a hidden HTML trap with a fake image, and finally reinforcing the team. As a result, malicious code entered the system, was stored in the chat history, and was launched when a dialog was opened by both the user and the support agent.

The researchers emphasized that the consequences could have been much more serious: execution of system commands, installation of backdoors, keylogging, redirects to phishing sites, theft or modification of data in support systems.

• Lenovo acknowledged the problem after the notification on July 22, fixed it by August 18, and declared the security of its systems.

• XSS attacks are a classic web security problem, but the Lenovo case showed that the integration of large language models opens up new risk vectors. Unlike conventional forms, chatbots can be prone to prompt injection — when users force AI to perform dangerous actions.

• Experts note: corporations are in a hurry to implement AI solutions, but often underestimate the security aspects. Such incidents may become a new trend in attacks against businesses.

The Lenovo incident is clear evidence that chatbots without proper data validation are becoming a tool for attacks. Companies need to implement strict input and output filtering mechanisms, CSP policies, minimize service permissions, and constantly monitor the operation of AI solutions. Security must evolve in parallel with innovation.