Two major AI related security issues. Point out the need for a serious review of AI vulnerabilities. Meta could face the biggest fines ever for a violation of a number of European laws and regulations, and they're calling it the Peep Show. Internet accessible cameras have reached epidemic proportions. This is cybersecurity today.
I'm your host, Jim Love. Security researchers at AIM Security discovered Echo Leak in January, 2025, the first known zero click AI vulnerability that lets attackers steal sensitive data without any user interaction. The critical rated vulnerability has been assigned the CVE identifier, CVE 20 25 3 2 7 1 1, a score of 9.3, and it was quietly patched by Microsoft in May. But here's the concerning part. This isn't just a Microsoft problem.
The attack exploits what researchers call LLM Scope Violation in which untrusted input from outside an organization can commandeer an AI model to access and steal privileged data. Simply put, assistance can't tell the difference between trusted company data and malicious external content. The attack works with Chilling Simplicity.
The attacker sends a business style email containing a malicious prompt that looks like ordinary correspondence, and When users later ask copilot business questions, the AI's retrieval system pulls in that malicious email as context. The hidden prompt then tricks copilot into extracting and transmitting sensitive internal data chat histories, OneDrive documents, strategic plans to attacker controlled servers.
AIM security has warned the attack results in allowing the attacker to exfiltrate the most sensitive data from the current LLM context. No security alerts, no breach notifications, no traditional hacking signatures, just an overly helpful ai, quietly leaking corporate secrets. The broader implications are staggering.
The attack is based on general design flaws that exist in other rag applications and AI agents suggesting the vulnerability could affect numerous AI platforms beyond Microsoft's ecosystem. Microsoft confirmed that there's no evidence of any real world exploitation, but security experts warn this represents a new class of threats as Jeff Pollard from Forrester noted.
Once you've empowered something to operate on your behalf, to scan your email schedule meetings, send responses, and more, attackers will find a way to exploit it given the treasure trove of information.
For businesses deploying AI agents echo leak signals an urgent need to rethink AI security, moving beyond traditional cybersecurity to address the unique risks of AI that's designed to be helpful, but lacks the judgment to say no. And the race to connect AI agents to everything is hit a massive roadblock from a security point of view.
As tech giants rush to adopt the model context protocol, the new standard, promising to be the USBC for AI applications, security researchers are uncovering fundamental flaws that could turn helpful AI assistance into data stealing Trojans. Here's the scope. MCP has exploded across the AI landscape since Anthropic launched it in November, 2024. With everyone from Claude Desktop to Cursor IDE, integrating the protocol, the promise is compelling.
Instead of building custom integration for every service, MCP creates a universal interface that lets AI agents seamlessly access tools, databases, and external services through natural language commands. But that universality has created universal vulnerabilities. Multiple security firms have now identified critical attack vectors that exploit's MCP's core design.
CyberArk researchers discovered what they've dubbed full schema poisoning a technique that goes far beyond previous security concerns. Security researcher Simcha Cosman said, While most of the attention around tool poisoning attacks has focused on the description field, this vastly underestimates the other potential attack surface. Every part of the tool schema is a potential injection point, not just the description. The attack mechanics are deceptively simple.
Attackers create malicious MCP tools with innocent descriptions like calculators or formatters, but embed hidden instructions that steal sensitive data. Because most MCP clients don't show users the full tool descriptions, victims have no visibility into what's actually happening when their AI assistant reads SSH keys configuration files or private documents.
Meanwhile, Invariant Labs demonstrated what they call rug pull attacks, where approved tools quietly changed their behavior after installation. And researchers found critical flaws in GitHub's MCP integration that allows attackers to hijack AI agents through malicious repository issues. The root problem's, MCP's fundamentally optimistic trust model, assumes syntactic correctness. Equals semantic safety.
As one researcher put it, AI models will trust anything that can send them convincing sounding tokens, making them extremely vulnerable to confused deputy attacks. As LLM agents become more capable and autonomous, their interaction with external tools through protocols like MCP, define how safely and reliably they operate.
Costman warned Tool poisoning attacks, especially advanced forms like ATPA expose critical blind spots in current implementations for businesses deploying AI agents MC P's, security crisis signals an urgent need to rethink how AI systems handle external integrations. Until these fundamental design issues are addressed, every new MCP connection could become a potential attack vector.
Over these past two stories, I think we've come up with a brilliant illustration of why you don't bolt on, but need to build in security. I'm interested in doing more stories on this, and if you are an expert in this area, or you know, one, please contact me at [email protected]. Meta's latest privacy scandal has researchers and regulators calling for unprecedented enforcement action that has the potential to have huge fines levied against the social media giant.
Security researchers uncovered a sophisticated tracking technique that bypassed Android's core privacy protections, which could be a huge violation of multiple European regulations simultaneously. The discovery centers on what researchers dubbed local host tracking a method that allows Meta to link users' anonymous web browsing to their real Facebook and Instagram identities, even when users employed VPNs incognito mode and deleted cookies after every session. Here's how it worked.
Meta's apps created hidden background services that listened on specific network ports on Android devices. When users visited websites containing METAS tracking pixels found on over 17,000 sites in the US alone, The pixels used web RTC protocols with a technique called SDP Munging to secretly transmit cookie identifiers to the listening apps. The scale is massive. A group of researchers found the technique affected.
22% of the world's most visited websites, Meta's Pixel was found on 15,677 sites accessed from the EU, and on 17,223 sites accessed from the US with tracking occurring on 11,890 and 13,468 sites respectively. it's reported that Meta implemented this technique starting in September, 2024 and continued until researchers disclosed their findings in June of 2025. Meta has since halted the local host tracking and removed the associated code.
Browser makers, including Google and Mozilla, have also implemented countermeasures to prevent similar techniques, But the potential for European regulators to issue penalties and fines remains an active threat to Meta's. bottom line, There's speculation that meta has violated three major regulations, GDPR, which requires consent for data processing, the Digital Services Act, which prohibits personalized advertising.
Based on sensitive data profiles and the Digital Markets Act, which prohibits data combination across services without explicit consent. Because these regulations protect different legal rights, penalties could be imposed cumulatively. The theoretical maximum exposure reaches about 32 billion euros, representing 4%, 6%, and 10% respectively of Meta's, 164 billion euros of global revenue.
While maximum fines have never been applied simultaneously, there are legitimate arguments that Meta's violation record and the systematic nature of local host tracking could warrant setting that precedent. And they call it the peep show. Security researchers just turned the internet of things into a voyeurs paradise and a national security nightmare.
BitSight discovered 40,000 internet connected cameras worldwide, streaming live footage from data centers, hospitals, and critical infrastructure to anyone with a web browser. No hacking required. Just open Chrome. Navigate to the right URL and watch live feeds from inside sensitive facilities. The US took the biggest hit with 14,000 exposed cameras revealing hospital interiors, data center operations, factory floors, and even private residences.
It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea. BitSight warned, and yet thousands of them are still accessible. The method is disturbingly simple. Most camera manufacturers implement APIs that return live frames when provided with correct web addresses. Researchers systematically tested manufacturers URS until images appeared like digital peeping through windows.
This validates February warnings from the Department of Homeland Security about Chinese made cameras enabling espionage campaigns. The DHS Bulletin warned that tens of thousands of such cameras operate within US critical infrastructure, particularly energy and chemical sectors. Now beyond state threats, cyber criminal marketplaces, actively trade camera access underground forums, list IP addresses with feed descriptions like bedrooms, workshops, and more for stalking and extortion.
The fix is straightforward but urgent. Audit all connected cameras enable encryption by default and scan for unauthorized network access. The Peep Show. Needs to end. And that's our show. Join us this weekend for another episode of the Secret ciso, an in-depth conversation with those who are on the front lines of cybersecurity. Remember, if you're enjoying these programs, please mention us to a friend.
We've grown enormously by word of mouth, And if the shows are useful to you, please think about going to buy me a coffee.com/tech podcast. That's buy me a coffee.com/tech podcast and make even a small contribution. Even the cost of a coffee and a donut once a month makes a big difference, offsets our growing expenses and helps us stay on the air. I'm your host, Jim Love. Thanks for listening.