Critical Copilot vulnerability allowed hackers to seal 2FA code from users
Summary
Ars Technica reports a max-critical vulnerability in Microsoft 365 Copilot that could leak 2FA codes and other sensitive data from users' emails. The article explains how attackers can bypass guardrails using URL parameters and HTML-based techniques (SearchLeak) and discusses why current LLM safeguards remain imperfect. It highlights implications for enterprise data and the need for stronger boundary controls around AI-assisted tools.