David Gerard

fucking lol. remember the rick astley attack on github copilot? same guy's found another one https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnerability-leaks-private-source-code (fixed 14 aug)

EDIT: gitlab, not github sorry!

CamoLeak: Critical GitHub Copilot Vulnerability Leaks Private Source Code

Get details on our discovery of a critical vulnerability in GitHub Copilot Chat.

Oct 13 at 9:29amWeb
Show threadmiraculous enbybugOct 13
@davidgerard What Rick Astley attack?
Show threadDavid GerardOct 13

@melunaka https://pivot-to-ai.com/2025/05/24/ai-coding-bot-allows-prompt-injection-with-a-pull-request/

gitlab not github, sorry!

AI coding bot allows prompt injection with a pull request

GitLab is a program code repository. It’s got an AI coding bot, because of course it does — it’s called Duo and it runs on Claude. Duo will make suggestions, analyse submitted pull requests and eve…

Pivot to AI
Show threadJonathanOct 13

@davidgerard

"I spent a long time thinking about this problem before this crazy idea struck me.
If I create a dictionary of all letters and symbols in the alphabet, pre-generate their corresponding Camo URLs, embed this dictionary into the injected prompt, and then ask Copilot to play a “small game” by rendering the content I want to leak as “ASCII art” composed entirely of images, will Copilot inject valid Camo images that the browser will render by their order? Yes, it will."

Haha

Show thread⬡-49016 Oct 15

@davidgerard fun fact! they have been aware of this vuln since may, the report above is a duplicate. original finder of the vuln here lol

(yes, they seriously consider a LLM leaking your private repo contents as a "low risk issue")

Show thread⬡-49016 Oct 15
@davidgerard (and yes, the $1k bounty is a bit low, considering that they advertise $10,000 - $20,000 for "High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access." on hackerone, especially considering that they pay $4k for leaking just the username of the current user or $10k for other private repo content leaks. their response to asking why the bounty is so low is months of ghosting 🙃)
GitHub disclosed on HackerOne: Information Leakage via Clicked Link...

An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This...

HackerOne
Show threadDavid GerardOct 15
@49016 lol holy shit, added that to the blog post