Pen testers accused of 'blackmail' after reporting Eurostar chatbot flaws (www.theregister.com)

Researchers at Pen Test Partners uncovered significant security vulnerabilities in Eurostar's public AI chatbot, capable of exposing users to prompt injection attacks and HTML code injections. The flaws arose from inadequate security measures in the chatbot's design, which allowed attackers to tamper with earlier messages in the chat history after passing guardrail checks on new inputs. This oversight could lead to severe consequences, including potential data breaches if the chatbot handles sensitive user information. The situation escalated when the researchers' attempt at responsible disclosure was met with accusations of "blackmail" from Eurostar's head of security after delays in communication. Although Eurostar has patched some issues, the incident underscores the importance of robust security practices in AI applications, particularly for customer-facing services. This episode serves as a crucial reminder for companies to prioritize the integration of comprehensive security measures during the development of AI chatbots to prevent similar vulnerabilities in the future.