Subj : Microsoft's AI healthcare bots might have some worrying security
To   : All
From : TechnologyDaily
Date : Wed Aug 14 2024 12:15:04

Microsoft's AI healthcare bots might have some worrying security flaws

Date:
Wed, 14 Aug 2024 11:02:58 +0000

Description:
Server-side request forgery in Azure Health Bot Service allowed researchers 
to bypass certain protections and access sensitive data.

FULL STORY
======================================================================

Microsofts AI-powered bots for the healthcare industry have been found to be 
vulnerable in a way that allowed threat actors to move across the target IT 
infrastructure, and even steal sensitive information. 

Cybersecurity researchers Tenable, who discovered the flaws and reported them 
to Microsoft, outlined how the flaws in Azure Health Bot Service enabled 
lateral movement throughout the network, and thus access to sensitive patient 
data. 

The Azure AI Health Bot Service is a tool enabling developers to build and 
deploy virtual health assistants, powered by artificial intelligence (AI). 
That way, healthcare orgs can cut down on cost and improve efficiency, 
without compromising on compliance. Data Connections 

Generally speaking, digital assistants also work with plenty of sensitive 
information, which makes security and data integrity paramount. 

Tenable sought to analyze how the chatbot handles the workload, and found a 
few issues in a feature called Data Connections, designed to pull data from 
other services. The researchers pointed out that the tool does have built-in 
safeguards that block unauthorized access to internal APIs, but they managed 
to bypass them by issuing redirect responses while reconfiguring a data 
connection through a controlled external host. 

They set up the host to respond to requests with a 301 redirect response 
aimed at Azures metadata service (IMDS). That gave them access to a valid 
metadata response which, in turn, gave them an access token for 
management.azure.com. With the token, they were able to get a list of all the 
subscriptions it grants access to. 

A few months ago, Tenable reported its findings to Microsoft, and soon after 
all regions were patched. There is no evidence the flaw was exploited in the 
wild, it added. 

"The vulnerabilities discussed....involve flaws in the underlying 
architecture of the AI chatbot service rather than the AI models themselves," 
the researchers noted, adding this, "highlights the continuedimportance of 
traditional web application and cloud securitymechanisms in this new age of 
AI powered services." More from TechRadar Pro Lots of sensitive data is still 
being posted to ChatGPTa Here's a list of the best malware removal tools 
around today These are the best endpoint security tools right now



======================================================================
Link to news story:
https://www.techradar.com/pro/security/microsofts-ai-healthcare-bots-might-hav
e-some-worrying-security-flaws


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.