In this episode of Cybersecurity Today, host Jim Love discusses critical AI-related security issues, such as the Echo Leak vulnerability in Microsoft's AI, MCP's universal integration risks, and Meta's privacy violations in Europe. The episode also explores the dangers of internet-exposed cameras as discovered by BitSight, highlighting the urgent need for enhanced AI security and the legal repercussions for companies like Meta.
00:00 Introduction to AI Security Issues
00:24 Echo Leak: The Zero-Click AI Vulnerability
03:17 MCP Protocol: Universal Interface, Universal Vulnerabilities
07:01 Meta's Privacy Scandal: Local Host Tracking
10:11 The Peep Show: Internet-Connected Cameras Exposed
12:08 Conclusion and Call to Action
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Two major AI related security issues.
Point out the need for a seriousreview of AI vulnerabilities.
Meta could face the biggest finesever for a violation of a number of
European laws and regulations, andthey're calling it the Peep Show.
Internet accessible cameras havereached epidemic proportions.
This is cybersecurity today.
(00:22):
I'm your host, Jim Love.
Security researchers at AIM Securitydiscovered Echo Leak in January, 2025, the
first known zero click AI vulnerabilitythat lets attackers steal sensitive
data without any user interaction.
The critical rated vulnerability hasbeen assigned the CVE identifier, CVE
(00:44):
20 25 3 2 7 1 1, a score of 9.3, and itwas quietly patched by Microsoft in May.
But here's the concerning part.
This isn't just a Microsoft problem.
The attack exploits what researcherscall LLM Scope Violation in which
(01:05):
untrusted input from outside anorganization can commandeer an AI model
to access and steal privileged data.
Simply put, assistance can't tell thedifference between trusted company
data and malicious external content.
The attack works with Chilling Simplicity.
The attacker sends a business styleemail containing a malicious prompt that
(01:28):
looks like ordinary correspondence, andWhen users later ask copilot business
questions, the AI's retrieval systempulls in that malicious email as context.
The hidden prompt then tricks copilotinto extracting and transmitting
sensitive internal data chat histories,OneDrive documents, strategic plans
(01:49):
to attacker controlled servers.
AIM security has warned the attackresults in allowing the attacker
to exfiltrate the most sensitivedata from the current LLM context.
No security alerts, no breachnotifications, no traditional hacking
signatures, just an overly helpfulai, quietly leaking corporate secrets.
(02:13):
The broader implications are staggering.
The attack is based on generaldesign flaws that exist in other rag
applications and AI agents suggesting thevulnerability could affect numerous AI
platforms beyond Microsoft's ecosystem.
Microsoft confirmed that there's noevidence of any real world exploitation,
but security experts warn thisrepresents a new class of threats as
(02:37):
Jeff Pollard from Forrester noted.
Once you've empowered somethingto operate on your behalf, to scan
your email schedule meetings, sendresponses, and more, attackers
will find a way to exploit it giventhe treasure trove of information.
For businesses deploying AI agents echoleak signals an urgent need to rethink
(02:58):
AI security, moving beyond traditionalcybersecurity to address the unique risks
of AI that's designed to be helpful,but lacks the judgment to say no.
And the race to connect AI agents toeverything is hit a massive roadblock
from a security point of view.
As tech giants rush to adopt themodel context protocol, the new
(03:22):
standard, promising to be theUSBC for AI applications, security
researchers are uncovering fundamentalflaws that could turn helpful AI
assistance into data stealing Trojans.
Here's the scope.
MCP has exploded across theAI landscape since Anthropic
(03:42):
launched it in November, 2024.
With everyone from Claude Desktopto Cursor IDE, integrating the
protocol, the promise is compelling.
Instead of building custom integrationfor every service, MCP creates a
universal interface that lets AIagents seamlessly access tools,
databases, and external servicesthrough natural language commands.
(04:07):
But that universality has createduniversal vulnerabilities.
Multiple security firms have nowidentified critical attack vectors
that exploit's MCP's core design.
CyberArk researchers discoveredwhat they've dubbed full schema
poisoning a technique that goes farbeyond previous security concerns.
(04:28):
Security researcher Simcha Cosmansaid, While most of the attention
around tool poisoning attacks hasfocused on the description field,
this vastly underestimates theother potential attack surface.
Every part of the tool schemais a potential injection point,
not just the description.
The attack mechanicsare deceptively simple.
(04:50):
Attackers create malicious MCP tools withinnocent descriptions like calculators
or formatters, but embed hiddeninstructions that steal sensitive data.
Because most MCP clients don't showusers the full tool descriptions,
victims have no visibility intowhat's actually happening when
their AI assistant reads SSH keysconfiguration files or private documents.
(05:16):
Meanwhile, Invariant Labs demonstratedwhat they call rug pull attacks,
where approved tools quietly changedtheir behavior after installation.
And researchers found critical flawsin GitHub's MCP integration that
allows attackers to hijack AI agentsthrough malicious repository issues.
The root problem's, MCP'sfundamentally optimistic trust
(05:40):
model, assumes syntactic correctness.
Equals semantic safety.
As one researcher put it, AI modelswill trust anything that can send
them convincing sounding tokens,making them extremely vulnerable
to confused deputy attacks.
As LLM agents become more capableand autonomous, their interaction
(06:02):
with external tools throughprotocols like MCP, define how
safely and reliably they operate.
Costman warned Tool poisoning attacks,especially advanced forms like ATPA
expose critical blind spots in currentimplementations for businesses deploying
AI agents MC P's, security crisissignals an urgent need to rethink how
(06:26):
AI systems handle external integrations.
Until these fundamental design issuesare addressed, every new MCP connection
could become a potential attack vector.
Over these past two stories, Ithink we've come up with a brilliant
illustration of why you don't bolton, but need to build in security.
(06:49):
I'm interested in doing more storieson this, and if you are an expert in
this area, or you know, one, pleasecontact me at editorial@technewsday.ca.
Meta's latest privacy scandal hasresearchers and regulators calling for
unprecedented enforcement action thathas the potential to have huge fines
(07:10):
levied against the social media giant.
Security researchers uncovered asophisticated tracking technique
that bypassed Android's coreprivacy protections, which could
be a huge violation of multipleEuropean regulations simultaneously.
The discovery centers on what researchersdubbed local host tracking a method that
(07:32):
allows Meta to link users' anonymousweb browsing to their real Facebook
and Instagram identities, even whenusers employed VPNs incognito mode and
deleted cookies after every session.
Here's how it worked.
Meta's apps created hidden backgroundservices that listened on specific
network ports on Android devices.
(07:55):
When users visited websites containingMETAS tracking pixels found on over
17,000 sites in the US alone, The pixelsused web RTC protocols with a technique
called SDP Munging to secretly transmitcookie identifiers to the listening apps.
The scale is massive.
A group of researchers foundthe technique affected.
(08:17):
22% of the world's most visitedwebsites, Meta's Pixel was found on
15,677 sites accessed from the EU,and on 17,223 sites accessed from
the US with tracking occurring on11,890 and 13,468 sites respectively.
(08:42):
it's reported that Meta implementedthis technique starting in September,
2024 and continued until researchersdisclosed their findings in June of 2025.
Meta has since halted the local hosttracking and removed the associated code.
Browser makers, including Googleand Mozilla, have also implemented
countermeasures to prevent similartechniques, But the potential for European
(09:05):
regulators to issue penalties and finesremains an active threat to Meta's.
bottom line, There's speculation thatmeta has violated three major regulations,
GDPR, which requires consent for dataprocessing, the Digital Services Act,
which prohibits personalized advertising.
Based on sensitive data profilesand the Digital Markets Act, which
(09:29):
prohibits data combination acrossservices without explicit consent.
Because these regulations protectdifferent legal rights, penalties
could be imposed cumulatively.
The theoretical maximum exposure reachesabout 32 billion euros, representing
4%, 6%, and 10% respectively of Meta's,164 billion euros of global revenue.
(09:57):
While maximum fines have never beenapplied simultaneously, there are
legitimate arguments that Meta'sviolation record and the systematic
nature of local host tracking couldwarrant setting that precedent.
And they call it the peep show.
Security researchers just turned theinternet of things into a voyeurs paradise
and a national security nightmare.
(10:18):
BitSight discovered 40,000 internetconnected cameras worldwide, streaming
live footage from data centers,hospitals, and critical infrastructure
to anyone with a web browser.
No hacking required.
Just open Chrome.
Navigate to the right URL and watch livefeeds from inside sensitive facilities.
(10:41):
The US took the biggest hit with 14,000exposed cameras revealing hospital
interiors, data center operations, factoryfloors, and even private residences.
It should be obvious to everyonethat leaving a camera exposed
on the internet is a bad idea.
BitSight warned, and yet thousandsof them are still accessible.
(11:02):
The method is disturbingly simple.
Most camera manufacturers implementAPIs that return live frames when
provided with correct web addresses.
Researchers systematically testedmanufacturers URS until images appeared
like digital peeping through windows.
This validates February warningsfrom the Department of Homeland
(11:23):
Security about Chinese made camerasenabling espionage campaigns.
The DHS Bulletin warned that tensof thousands of such cameras operate
within US critical infrastructure,particularly energy and chemical sectors.
Now beyond state threats, cybercriminal marketplaces, actively
trade camera access undergroundforums, list IP addresses with feed
(11:47):
descriptions like bedrooms, workshops,and more for stalking and extortion.
The fix is straightforward but urgent.
Audit all connected cameras enableencryption by default and scan
for unauthorized network access.
The Peep Show.
Needs to end.
(12:08):
And that's our show.
Join us this weekend for anotherepisode of the Secret ciso, an in-depth
conversation with those who are onthe front lines of cybersecurity.
Remember, if you're enjoying theseprograms, please mention us to a friend.
We've grown enormously by word ofmouth, And if the shows are useful
to you, please think about going tobuy me a coffee.com/tech podcast.
(12:34):
That's buy me a coffee.com/tech podcastand make even a small contribution.
Even the cost of a coffee and adonut once a month makes a big
difference, offsets our growingexpenses and helps us stay on the air.
I'm your host, Jim Love.
Thanks for listening.
Two major AI related security issues.
Point out the need for a seriousreview of AI vulnerabilities.
Meta could face the biggest finesever for a violation of a number of
European laws and regulations, andthey're calling it the Peep Show.
Internet accessible cameras havereached epidemic proportions.
This is cybersecurity today.
(00:22):
I'm your host, Jim Love.
Security researchers at AIM Securitydiscovered Echo Leak in January, 2025, the
first known zero click AI vulnerabilitythat lets attackers steal sensitive
data without any user interaction.
The critical rated vulnerability hasbeen assigned the CVE identifier, CVE
(00:44):
20 25 3 2 7 1 1, a score of 9.3, and itwas quietly patched by Microsoft in May.
But here's the concerning part.
This isn't just a Microsoft problem.
The attack exploits what researcherscall LLM Scope Violation in which
(01:05):
untrusted input from outside anorganization can commandeer an AI model
to access and steal privileged data.
Simply put, assistance can't tell thedifference between trusted company
data and malicious external content.
The attack works with Chilling Simplicity.
The attacker sends a business styleemail containing a malicious prompt that
(01:28):
looks like ordinary correspondence, andWhen users later ask copilot business
questions, the AI's retrieval systempulls in that malicious email as context.
The hidden prompt then tricks copilotinto extracting and transmitting
sensitive internal data chat histories,OneDrive documents, strategic plans
(01:49):
to attacker controlled servers.
AIM security has warned the attackresults in allowing the attacker
to exfiltrate the most sensitivedata from the current LLM context.
No security alerts, no breachnotifications, no traditional hacking
signatures, just an overly helpfulai, quietly leaking corporate secrets.
(02:13):
The broader implications are staggering.
The attack is based on generaldesign flaws that exist in other rag
applications and AI agents suggesting thevulnerability could affect numerous AI
platforms beyond Microsoft's ecosystem.
Microsoft confirmed that there's noevidence of any real world exploitation,
but security experts warn thisrepresents a new class of threats as
(02:37):
Jeff Pollard from Forrester noted.
Once you've empowered somethingto operate on your behalf, to scan
your email schedule meetings, sendresponses, and more, attackers
will find a way to exploit it giventhe treasure trove of information.
For businesses deploying AI agents echoleak signals an urgent need to rethink
(02:58):
AI security, moving beyond traditionalcybersecurity to address the unique risks
of AI that's designed to be helpful,but lacks the judgment to say no.
And the race to connect AI agents toeverything is hit a massive roadblock
from a security point of view.
As tech giants rush to adopt themodel context protocol, the new
(03:22):
standard, promising to be theUSBC for AI applications, security
researchers are uncovering fundamentalflaws that could turn helpful AI
assistance into data stealing Trojans.
Here's the scope.
MCP has exploded across theAI landscape since Anthropic
(03:42):
launched it in November, 2024.
With everyone from Claude Desktopto Cursor IDE, integrating the
protocol, the promise is compelling.
Instead of building custom integrationfor every service, MCP creates a
universal interface that lets AIagents seamlessly access tools,
databases, and external servicesthrough natural language commands.
(04:07):
But that universality has createduniversal vulnerabilities.
Multiple security firms have nowidentified critical attack vectors
that exploit's MCP's core design.
CyberArk researchers discoveredwhat they've dubbed full schema
poisoning a technique that goes farbeyond previous security concerns.
(04:28):
Security researcher Simcha Cosmansaid, While most of the attention
around tool poisoning attacks hasfocused on the description field,
this vastly underestimates theother potential attack surface.
Every part of the tool schemais a potential injection point,
not just the description.
The attack mechanicsare deceptively simple.
(04:50):
Attackers create malicious MCP tools withinnocent descriptions like calculators
or formatters, but embed hiddeninstructions that steal sensitive data.
Because most MCP clients don't showusers the full tool descriptions,
victims have no visibility intowhat's actually happening when
their AI assistant reads SSH keysconfiguration files or private documents.
(05:16):
Meanwhile, Invariant Labs demonstratedwhat they call rug pull attacks,
where approved tools quietly changedtheir behavior after installation.
And researchers found critical flawsin GitHub's MCP integration that
allows attackers to hijack AI agentsthrough malicious repository issues.
The root problem's, MCP'sfundamentally optimistic trust
(05:40):
model, assumes syntactic correctness.
Equals semantic safety.
As one researcher put it, AI modelswill trust anything that can send
them convincing sounding tokens,making them extremely vulnerable
to confused deputy attacks.
As LLM agents become more capableand autonomous, their interaction
(06:02):
with external tools throughprotocols like MCP, define how
safely and reliably they operate.
Costman warned Tool poisoning attacks,especially advanced forms like ATPA
expose critical blind spots in currentimplementations for businesses deploying
AI agents MC P's, security crisissignals an urgent need to rethink how
(06:26):
AI systems handle external integrations.
Until these fundamental design issuesare addressed, every new MCP connection
could become a potential attack vector.
Over these past two stories, Ithink we've come up with a brilliant
illustration of why you don't bolton, but need to build in security.
(06:49):
I'm interested in doing more storieson this, and if you are an expert in
this area, or you know, one, pleasecontact me at editorial@technewsday.ca.
Meta's latest privacy scandal hasresearchers and regulators calling for
unprecedented enforcement action thathas the potential to have huge fines
(07:10):
levied against the social media giant.
Security researchers uncovered asophisticated tracking technique
that bypassed Android's coreprivacy protections, which could
be a huge violation of multipleEuropean regulations simultaneously.
The discovery centers on what researchersdubbed local host tracking a method that
(07:32):
allows Meta to link users' anonymousweb browsing to their real Facebook
and Instagram identities, even whenusers employed VPNs incognito mode and
deleted cookies after every session.
Here's how it worked.
Meta's apps created hidden backgroundservices that listened on specific
network ports on Android devices.
(07:55):
When users visited websites containingMETAS tracking pixels found on over
17,000 sites in the US alone, The pixelsused web RTC protocols with a technique
called SDP Munging to secretly transmitcookie identifiers to the listening apps.
The scale is massive.
A group of researchers foundthe technique affected.
(08:17):
22% of the world's most visitedwebsites, Meta's Pixel was found on
15,677 sites accessed from the EU,and on 17,223 sites accessed from
the US with tracking occurring on11,890 and 13,468 sites respectively.
(08:42):
it's reported that Meta implementedthis technique starting in September,
2024 and continued until researchersdisclosed their findings in June of 2025.
Meta has since halted the local hosttracking and removed the associated code.
Browser makers, including Googleand Mozilla, have also implemented
countermeasures to prevent similartechniques, But the potential for European
(09:05):
regulators to issue penalties and finesremains an active threat to Meta's.
bottom line, There's speculation thatmeta has violated three major regulations,
GDPR, which requires consent for dataprocessing, the Digital Services Act,
which prohibits personalized advertising.
Based on sensitive data profilesand the Digital Markets Act, which
(09:29):
prohibits data combination acrossservices without explicit consent.
Because these regulations protectdifferent legal rights, penalties
could be imposed cumulatively.
The theoretical maximum exposure reachesabout 32 billion euros, representing
4%, 6%, and 10% respectively of Meta's,164 billion euros of global revenue.
(09:57):
While maximum fines have never beenapplied simultaneously, there are
legitimate arguments that Meta'sviolation record and the systematic
nature of local host tracking couldwarrant setting that precedent.
And they call it the peep show.
Security researchers just turned theinternet of things into a voyeurs paradise
and a national security nightmare.
(10:18):
BitSight discovered 40,000 internetconnected cameras worldwide, streaming
live footage from data centers,hospitals, and critical infrastructure
to anyone with a web browser.
No hacking required.
Just open Chrome.
Navigate to the right URL and watch livefeeds from inside sensitive facilities.
(10:41):
The US took the biggest hit with 14,000exposed cameras revealing hospital
interiors, data center operations, factoryfloors, and even private residences.
It should be obvious to everyonethat leaving a camera exposed
on the internet is a bad idea.
BitSight warned, and yet thousandsof them are still accessible.
(11:02):
The method is disturbingly simple.
Most camera manufacturers implementAPIs that return live frames when
provided with correct web addresses.
Researchers systematically testedmanufacturers URS until images appeared
like digital peeping through windows.
This validates February warningsfrom the Department of Homeland
(11:23):
Security about Chinese made camerasenabling espionage campaigns.
The DHS Bulletin warned that tensof thousands of such cameras operate
within US critical infrastructure,particularly energy and chemical sectors.
Now beyond state threats, cybercriminal marketplaces, actively
trade camera access undergroundforums, list IP addresses with feed
(11:47):
descriptions like bedrooms, workshops,and more for stalking and extortion.
The fix is straightforward but urgent.
Audit all connected cameras enableencryption by default and scan
for unauthorized network access.
The Peep Show.
Needs to end.
(12:08):
And that's our show.
Join us this weekend for anotherepisode of the Secret ciso, an in-depth
conversation with those who are onthe front lines of cybersecurity.
Remember, if you're enjoying theseprograms, please mention us to a friend.
We've grown enormously by word ofmouth, And if the shows are useful
to you, please think about going tobuy me a coffee.com/tech podcast.
(12:34):
That's buy me a coffee.com/tech podcastand make even a small contribution.
Even the cost of a coffee and adonut once a month makes a big
difference, offsets our growingexpenses and helps us stay on the air.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.