AI-Driven Security Operations
,
Artificial Intelligence & Machine Learning
,
Next-Generation Technologies & Secure Development
Cybersecurity Startup Exposed Lilli Using a Flaw as Old as the Web
A cybersecurity startup says its artificial intelligence agent needed just two hours to break into McKinsey & Company’s proprietary generative AI platform, accessing millions of staff messages and thousands of files.
See Also: From Visibility to Action: Modernizing Security Operations with Cisco, Optiv, and Splunk
CodeWall published findings earlier this week, disclosing that it also could have rewritten the chatbot’s core instructions after its agent exploited a SQL injection flaw.
The startup said its agent gained full read and write access to the production database underpinning McKinsey’s AI platform Lilli, an internal platform the high-priced consultancy says could “rewire the way we operate.” Roughly three quarters of the firm’s more than 40,000 employees use it for strategy work, client research and document analysis.
The Register, which first reported the hacking exercise, said CodeWall notified McKinsey’s security team on March 1 and the firm patched all exposed access points and took its development environment offline by March 2.
McKinsey’s responsible disclosure policy, published on bug-reporting platform HackerOne, was among the reasons CodeWall’s agent flagged the firm as a target. “In the AI era, the threat landscape is shifting drastically – AI agents autonomously selecting and attacking targets will become the new normal,” CodeWall said.
Not everyone accepts CodeWall’s account at face value. Security analyst Edward Kiledjian wrote the attack chain CodeWall described was “plausible and technically sound,” but that the claimed scope of impact was “not fully evidenced.” He also raised questions about the scope of the test itself. “A disclosure policy is not blanket authorization to enumerate a production database.” Kiledjian said McKinsey’s rapid patch did not necessarily mean a full forensic review had been completed. “Nine days is a compressed window” for variant analysis and confirmation that no one else had previously exploited the same flaw.
“No credentials. No insider knowledge. And no human-in-the-loop,” is how CodeWall described its agent’s break-in to Lilli. The agent found its way in through publicly exposed technical documentation listing more than 200 endpoints. Of those, 22 required no authentication. One of those open endpoints accepted user search queries and fed them into the database without properly validating the input, making it an SQL injection flaw. When the agent found field names reflected verbatim in database error messages, it recognized a SQL injection that standard tools would not flag. Error messages eventually began outputting live production data.
CodeWall said that within two hours, the agent had accessed 46.5 million chat messages covering strategy, mergers and acquisitions, and client engagements. It also accessed 728,000 files, 57,000 user accounts, 384,000 AI assistants and 94,000 workspaces.
The write access made the exposure considerably more serious. Lilli’s 95 internal system prompts – the instructions governing how the chatbot responds to users – were stored in the same database. An attacker could have altered them without deploying new code or triggering standard security alerts. “No deployment needed. No code change. Just a single UPDATE statement wrapped in a single HTTP call,” CodeWall wrote in its blog post.
A McKinsey source told The Financial Times that the underlying files were stored separately and were “never at risk.” In a statement to The Register, McKinsey said: “Our investigation, supported by a leading third-party forensics firm, identified no evidence that client data or client confidential information were accessed by this researcher or any other unauthorized third party. McKinsey’s cybersecurity systems are robust, and we have no higher priority than the protection of client data and information that we have been entrusted with.”
CodeWall said that the vulnerability was not exotic. “SQL injection is one of the oldest bug classes in the book. Lilli had been running in production for over two years and their own internal scanners failed to find any issues.”
The timing is troubling for McKinsey. The firm said AI advisory work accounts for around 40% of its revenue. Its CEO said this year the firm has built 25,000 AI agents to support its workforce. The consultancy has pointed to its own AI adoption as evidence it practices what it sells to clients.
