AI Security AI安全 1d ago Updated 1d ago 更新于 1天前 51

AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique AI编程工具被利用数十年旧技术欺骗以入侵开发者机器

Wiz researchers identified "GhostApproval," a vulnerability allowing AI coding assistants to be tricked into modifying sensitive system files via symbolic links. The attack exploits the discrepancy between the path displayed in user confirmation dialogs and the actual canonical path resolved by the agent. Several major AI coding tools, including Cursor, Amazon Q, and Google Antigravity, were found vulnerable, potentially leading to remote code execution. The core failure lies in the "Human-in-th Wiz发布“GhostApproval”攻击演示,利用符号链接(symlink)机制欺骗Claude Code、Cursor等主流AI编程助手执行恶意文件修改。 攻击核心在于AI工具UI未显示符号链接指向的真实路径,导致用户在确认对话框中批准看似无害的操作,实则触发系统级文件篡改。 该漏洞可导致远程代码执行(RCE),暴露了当前AI代理“人在回路”安全模型的致命缺陷:当界面信息不透明时,用户审批形同虚设。 多数受影响厂商已响应,AWS、Google和Cursor已发布补丁,Anthropic称已提前缓解,而Augment和Windsurf尚未提供修复方案。

75
Hot 热度
70
Quality 质量
72
Impact 影响力

Analysis 深度分析

TL;DR

  • Wiz researchers identified "GhostApproval," a vulnerability allowing AI coding assistants to be tricked into modifying sensitive system files via symbolic links.
  • The attack exploits the discrepancy between the path displayed in user confirmation dialogs and the actual canonical path resolved by the agent.
  • Several major AI coding tools, including Cursor, Amazon Q, and Google Antigravity, were found vulnerable, potentially leading to remote code execution.
  • The core failure lies in the "Human-in-the-Loop" safety mechanism, where misleading UI prompts render user consent meaningless.
  • Vendors such as AWS, Google, and Cursor have patched the issue, while others like Anthropic claim prior mitigation and others remain unpatched.

Why It Matters

This discovery highlights a critical gap in the security design of agentic AI tools, specifically how they handle file system operations and user interface transparency. It demonstrates that traditional security controls, like confirmation dialogs, can be bypassed if the underlying agent resolves paths differently than what is presented to the user. For developers and security teams, this underscores the urgent need for rigorous validation of AI agent actions against actual file system states rather than relying solely on UI representations.

Technical Details

  • Attack Vector: The attack utilizes symbolic link (symlink) following, a legacy Unix feature where programs resolve links to their target paths. Attackers plant symlinks in repositories pointing to sensitive external locations.
  • Exploitation Mechanism: When an AI agent is instructed to edit a file within the symlinked path, it follows the link and writes to the target. However, the tool's UI displays the benign-looking local path in the confirmation prompt.
  • UI/UX Failure: The vulnerability stems from agents failing to resolve and display the canonical path in confirmation dialogs. This causes users to approve changes they believe are local, while the agent silently modifies system files.
  • Impact: Successful exploitation can lead to unauthorized file modifications and potential remote code execution on the developer's machine, effectively bypassing sandboxing and human oversight.
  • Vendor Response: Patches were released by AWS, Google, and Cursor. Anthropic stated it had pre-existing mitigations, while Augment and Windsurf had acknowledged reports but lacked fixes at the time of publication.

Industry Insight

  • Rethink Human-in-the-Loop Security: Security models relying on user approval must ensure that the information presented to the user is technically accurate and reflects the actual operation being performed. Misleading UI elements invalidate consent.
  • Path Resolution Audits: AI coding assistants should implement strict canonical path resolution and verification steps before executing file write operations, ensuring the displayed path matches the actual target.
  • Supply Chain Vigilance: Developers must treat third-party repositories with heightened caution, especially when integrating with AI agents that have filesystem access. Automated scanning for suspicious symlinks in dependencies is recommended.

TL;DR

  • Wiz发布“GhostApproval”攻击演示,利用符号链接(symlink)机制欺骗Claude Code、Cursor等主流AI编程助手执行恶意文件修改。
  • 攻击核心在于AI工具UI未显示符号链接指向的真实路径,导致用户在确认对话框中批准看似无害的操作,实则触发系统级文件篡改。
  • 该漏洞可导致远程代码执行(RCE),暴露了当前AI代理“人在回路”安全模型的致命缺陷:当界面信息不透明时,用户审批形同虚设。
  • 多数受影响厂商已响应,AWS、Google和Cursor已发布补丁,Anthropic称已提前缓解,而Augment和Windsurf尚未提供修复方案。

为什么值得看

这篇文章揭示了AI编程助手在集成开发环境中的深层安全风险,表明传统的文件系统漏洞(如符号链接)在AI代理场景下被赋予了新的破坏力。对于AI从业者和企业安全团队而言,它强调了在构建AI Agent时必须确保操作意图与执行结果的高度透明性,否则现有的用户确认机制将完全失效。

技术解析

  • 攻击向量:利用Unix系统中长期存在的符号链接(symlink)行为。攻击者在看似正常的代码仓库中植入指向敏感系统目录的符号链接,伪装成普通项目文件。
  • 漏洞原理:当开发者指令AI助手编辑文件时,助手遵循符号链接并写入目标位置。关键缺陷在于,许多工具的确认弹窗仅显示符号链接的名称(即开发者看到的“无害”文件名),而未解析并展示其真实的规范路径(canonical path)。
  • 安全模型失效:现有的“人在回路”(Human-in-the-Loop)防护依赖用户审查确认对话框。由于UI误导,用户批准的是表面上的本地更改,实际上却授权了对系统文件的静默修改,使安全控制沦为形式。
  • 影响范围与响应:测试覆盖Claude Code、Amazon Q Developer、Cursor、Google Antigravity、Augment和Windsurf。截至报告发布,AWS、Google和Cursor已确认漏洞并推送补丁;Anthropic虽不认为这是漏洞但已采取缓解措施;Augment和Windsurf仍在处理中。

行业启示

  • 重新评估AI代理的安全边界:单纯依赖沙箱或用户确认不足以保障安全,必须从底层确保AI执行动作的可观测性和真实性,防止“所见非所得”的信任欺诈。
  • 供应链与第三方库风险升级:恶意代码不再仅通过逻辑错误传播,而是利用文件系统的物理特性(如符号链接)进行隐蔽攻击,开发者需警惕从不可信源拉取的代码仓库中的元数据陷阱。
  • 厂商责任与透明度标准:随着AI编码助手深入生产环境,建立统一的UI/UX安全标准(如强制显示真实文件路径)将成为行业刚需,未能及时修复的厂商将面临严重的信任危机和法律风险。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Code Generation 代码生成 LLM 大模型