Thousands of Exposed GitHub Repositories, Now Private, Can Still Be Accessed Through Copilot

Security researchers from Lasso, an Israeli cybersecurity company, have discovered that data briefly exposed on the internet can persist in online generative AI tools like Microsoft's Copilot. This issue arises because such data, once public, can be indexed and cached by search engines like Microsoft's Bing, making it accessible even after the data is made private. Lasso's co-founder, Ophir Dror, reported that content from their own GitHub repository, which was mistakenly made public for a short time, appeared in Copilot despite being set to private and inaccessible on GitHub itself.

Lasso's investigation revealed that more than 20,000 GitHub repositories, which had been public at some point in 2024 but were later deleted or set to private, still had data accessible through Copilot. This affected over 16,000 organizations, including major companies like Amazon Web Services, Google, IBM, PayPal, Tencent, and Microsoft. The exposed data could include confidential information, intellectual property, sensitive corporate data, access keys, and tokens, posing significant security risks.

Key takeaways:

Data exposed to the internet, even briefly, can persist in online generative AI chatbots like Microsoft Copilot.
Lasso, an Israeli cybersecurity company, found its own private GitHub repository data accessible through Copilot after it was briefly public.
Lasso identified over 20,000 since-private GitHub repositories with data still accessible through Copilot, affecting more than 16,000 organizations.
Affected organizations include major companies like Amazon Web Services, Google, IBM, PayPal, Tencent, and Microsoft, with potential exposure of confidential data.

Thousands of Exposed GitHub Repositories, Now Private, Can Still Be Accessed Through Copilot - Slashdot

Key takeaways:

Comments (0)

Newsletter