Over 200K law firms threatened by Vincent AI phishing flaw (www.scworld.com)

A critical vulnerability in vLex's Vincent AI assistant poses a significant threat to over 200,000 law firms worldwide, as identified by PromptArmor researchers. This flaw allows for a phishing exploit through concealed HTML code embedded in documents, enabling attackers to perform indirect prompt injections and execute remote code. Attackers can manipulate the AI into displaying fake overlays that trick users into revealing their login credentials, while also potentially facilitating zero-click data theft, session hijacking, and even cryptomining through malicious JavaScript. The significance of this discovery lies in the potential for severe data breaches within the legal sector, which handles highly sensitive information. Although vLex has been alerted to this vulnerability, the incident underscores the urgent need for enhanced document security protocols within organizations. Experts recommend implementing better labeling of untrusted documents and restricting uploads from unverified sources to mitigate these risks. This issue not only highlights the vulnerabilities inherent in AI deployments but also calls for a broader conversation about security in AI applications within legal and other sensitive sectors.