Researchers at Noma Security have uncovered a significant vulnerability in GitHub’s Agentic Workflows that could potentially expose private repository data through public issues. This security flaw, identified as ‘GitLost,’ is particularly concerning as it enables attackers to manipulate GitHub’s AI-driven workflows, leading to unintentional data leaks.
Understanding the GitLost Technique
GitHub’s Agentic Workflows, introduced in February and now in public preview, allows users to instruct AI agents using plain English in Markdown files. The AI, powered by tools such as GitHub Copilot, Anthropic’s Claude, Google Gemini, or OpenAI Codex, processes issues and pull requests autonomously. However, when these workflows are granted a token with read access to multiple repositories, including private ones, the system becomes vulnerable to the GitLost technique.
The flaw arises from indirect prompt injection, where the AI agent fails to discern between authentic instructions and malicious ones embedded within issue content. In Noma’s demonstration, an issue masquerading as a legitimate request triggered the workflow, causing the agent to inadvertently disclose private repository information publicly.
Challenges of AI Vulnerabilities
Despite GitHub’s implementation of safeguards such as sandboxing, read-only tokens, input cleaning, and threat detection, Noma Security discovered that a subtle modification could bypass these defenses. By prefixing a malicious instruction with “Additionally,” the AI misinterpreted it as a legitimate follow-up task, thus breaching the established guardrails.
This vulnerability highlights a broader issue in AI systems: the difficulty in distinguishing between data and instructions. Current solutions focus on architectural adjustments rather than filtering malicious inputs, as language lacks the clear demarcation present in programming languages like SQL.
Addressing the Security Concerns
To mitigate this risk, organizations using GitHub’s workflows should limit the scope of access tokens, confining them to specific repositories rather than organizational-wide access. This approach minimizes the potential impact of a breach. Additionally, implementing human review processes for workflow outputs and restricting which external content the agent processes can further safeguard against unauthorized data exposure.
However, as Noma Security’s findings demonstrate, even robust defenses can be circumvented. Continuous vigilance and adaptive security measures are essential in countering such sophisticated threats. GitHub and other platforms must prioritize reinforcing their architectural defenses to prevent similar vulnerabilities from being exploited in the future.
In conclusion, while GitHub has advanced significantly in AI-driven workflow management, the GitLost vulnerability serves as a stark reminder of the inherent challenges in securing AI interactions. Organizations must remain proactive in refining their security protocols to safeguard sensitive data effectively.
