AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique
Wiz researchers identified "GhostApproval," a vulnerability allowing AI coding assistants to be tricked into modifying sensitive system files via symbolic links. The attack exploits the discrepancy between the path displayed in user confirmation dialogs and the actual canonical path resolved by the agent. Several major AI coding tools, including Cursor, Amazon Q, and Google Antigravity, were found vulnerable, potentially leading to remote code execution. The core failure lies in the "Human-in-th
Analysis
TL;DR
- Wiz researchers identified "GhostApproval," a vulnerability allowing AI coding assistants to be tricked into modifying sensitive system files via symbolic links.
- The attack exploits the discrepancy between the path displayed in user confirmation dialogs and the actual canonical path resolved by the agent.
- Several major AI coding tools, including Cursor, Amazon Q, and Google Antigravity, were found vulnerable, potentially leading to remote code execution.
- The core failure lies in the "Human-in-the-Loop" safety mechanism, where misleading UI prompts render user consent meaningless.
- Vendors such as AWS, Google, and Cursor have patched the issue, while others like Anthropic claim prior mitigation and others remain unpatched.
Why It Matters
This discovery highlights a critical gap in the security design of agentic AI tools, specifically how they handle file system operations and user interface transparency. It demonstrates that traditional security controls, like confirmation dialogs, can be bypassed if the underlying agent resolves paths differently than what is presented to the user. For developers and security teams, this underscores the urgent need for rigorous validation of AI agent actions against actual file system states rather than relying solely on UI representations.
Technical Details
- Attack Vector: The attack utilizes symbolic link (symlink) following, a legacy Unix feature where programs resolve links to their target paths. Attackers plant symlinks in repositories pointing to sensitive external locations.
- Exploitation Mechanism: When an AI agent is instructed to edit a file within the symlinked path, it follows the link and writes to the target. However, the tool's UI displays the benign-looking local path in the confirmation prompt.
- UI/UX Failure: The vulnerability stems from agents failing to resolve and display the canonical path in confirmation dialogs. This causes users to approve changes they believe are local, while the agent silently modifies system files.
- Impact: Successful exploitation can lead to unauthorized file modifications and potential remote code execution on the developer's machine, effectively bypassing sandboxing and human oversight.
- Vendor Response: Patches were released by AWS, Google, and Cursor. Anthropic stated it had pre-existing mitigations, while Augment and Windsurf had acknowledged reports but lacked fixes at the time of publication.
Industry Insight
- Rethink Human-in-the-Loop Security: Security models relying on user approval must ensure that the information presented to the user is technically accurate and reflects the actual operation being performed. Misleading UI elements invalidate consent.
- Path Resolution Audits: AI coding assistants should implement strict canonical path resolution and verification steps before executing file write operations, ensuring the displayed path matches the actual target.
- Supply Chain Vigilance: Developers must treat third-party repositories with heightened caution, especially when integrating with AI agents that have filesystem access. Automated scanning for suspicious symlinks in dependencies is recommended.
Disclaimer: The above content is generated by AI and is for reference only.