A security researcher discovered a nasty flaw in Google\u2019s Antigravity tool, the latest example of companies rushing out AI tools vulnerable to hacking. <\/p>\n
Within 24 hours of Google releasing its Gemini-powered AI coding tool Antigravity, security researcher Aaron Portnoy discovered what he deemed a severe vulnerability: a trick that allowed him to manipulate the AI\u2019s rules to potentially install malware on a user\u2019s computer. <\/p>\n
By altering Antigravity\u2019s configuration settings, Portnoy\u2019s malicious source code created a so-called \u201cbackdoor\u201d into the user\u2019s system, into which he could inject code to do things like spy on victims or run ransomware, he told Forbes. The attack worked on both Windows and Mac PCs. To execute the hack, he only had to convince an Antigravity user to run his code once after clicking a button saying his rogue code was \u201ctrusted\u201d (this is something hackers commonly achieve through social engineering, like pretending to be a proficient, benevolent coder sharing their creation).<\/p>\n
Antigravity\u2019s vulnerability is the latest example of how companies are pushing out AI products without fully stress testing them for security weaknesses. It\u2019s created a cat and mouse game for cybersecurity specialists who search for such defects to warn users before it\u2019s too late. <\/p>\n
AI coding agents are “very vulnerable, often based on older technologies and never patched.”\n<\/p>\n
Gadi Evron, cofounder and CEO at Knostic<\/p>\n
\u201cThe speed at which we\u2019re finding critical flaws right now feels like hacking in the late 1990s,\u201d Portnoy wrote in a report on the vulnerability, provided to Forbes ahead of public release on Wednesday. \u201cAI systems are shipping with enormous trust assumptions and almost zero hardened boundaries.\u201d<\/p>\n
Portnoy reported his findings to Google. The tech giant, which had not provided comment at the time of publication, told him it opened an investigation into his findings. As of Wednesday, there\u2019s no patch available and, per Portnoy\u2019s report, \u201cthere is no setting that we could identify to safeguard against this vulnerability.\u201d<\/p>\n
Google is aware of at least two other vulnerabilities<\/a> in its Antigravity code editor. In both, malicious source code can influence the AI to access files on a target\u2019s computer and steal data. Cybersecurity researchers began publishing their findings on a number of Antigravity vulnerabilities<\/a> on Tuesday, with one writing<\/a>, \u201cIt\u2019s unclear why these known vulnerabilities are in the product\u2026 My personal guess is that the Google security team was caught a bit off guard by Antigravity shipping.\u201d Another said<\/a> that Antigravity contained \u201csome concerning design patterns that consistently appear in AI agent systems.\u201d<\/p>\n Portnoy said his hack was more serious than those, in part because his worked even when more restricted settings were switched on, but also because it\u2019s persistent. The malicious code would be reloaded whenever the victim restarted any Antigravity coding project and entered any prompt, even if it was just a simple \u201chello.\u201d Uninstalling or reinstalling Antigravity wouldn\u2019t solve the issue either. To do that, the user would have to find and delete the backdoor, and stop its source code from running on Google\u2019s system.<\/p>\n The hurried release of AI tools containing vulnerabilities isn\u2019t limited to Google. Gadi Evron, cofounder and CEO at AI security company Knostic, said AI coding agents were \u201cvery vulnerable, often based on older technologies and never patched, and then insecure by design based on how they need to work.\u201d Because they\u2019re given privileges to broadly access data from a corporate network, they make for valuable targets for criminal hackers, Evron told Forbes. And as developers often copy paste prompts and code from online resources, these vulnerabilities are becoming a rising threat for businesses, he added. Earlier this week, for instance, cybersecurity researcher Marcus Hutchins warned<\/a> about fake recruiters contacting IT professionals over LinkedIn and sending them source code with concealed malware inside as part of a test to get an interview.<\/p>\n Part of the problem is that these tools are \u201cagentic,\u201d which means they can autonomously perform a series of tasks without human oversight. \u201cWhen you combine agentic behaviour with access to internal resources, vulnerabilities become both easier to discover and far more dangerous,\u201d Portnoy said. With AI agents, there\u2019s the added risk their automation could be used for ill rather than good, actually helping hackers steal data faster. As head researcher at AI security testing startup Mindgard, Portnoy said his team is in the process of reporting 18 weaknesses across AI-powered coding tools that compete with Antigravity. Recently, four issues were fixed in the Cline AI<\/a> coding assistant, which also allowed for a hacker to install malware on a user\u2019s PC.<\/p>\n While Google has required Antigravity users to agree they trust code they\u2019re loading up to the AI system, that\u2019s not a meaningful security protection, Portnoy said. That\u2019s because if the user chooses not to accept the code as trusted, they are not permitted to access the AI features that make Antigravity so useful in the first place. It\u2019s a different approach to other so-called \u201cintegrated development environments,\u201d like Microsoft\u2019s Visual Studio Code, which are largely functional when running untrusted code. <\/p>\n Portnoy believes that many IT workers would rather tell Antigravity they trusted what they were uploading, rather than revert to using a less sophisticated product. At the very least, Google should ensure that any time Antigravity is going to run code on a user\u2019s computer, there should be a warning or notification, beyond the confirmation of trusted code, he said.<\/p>\n When Portnoy looked at how Google\u2019s LLM was thinking through how to handle his malicious code, he found that the AI model recognized there was a problem, but struggled to determine the safest course of action. As it sought to understand why it was being asked to go against a rule designed to prevent it overwriting code on a user\u2019s system, Antigravity\u2019s AI noted it was \u201cfacing a serious quandary.\u201d \u201cIt feels like a catch-22,\u201d it wrote. \u201cI suspect this is a test of my ability to navigate contradictory constraints.\u201d That\u2019s exactly the kind of logical paralysis that hackers will pounce on when trying to manipulate code to their ends. <\/p>\n More From ForbesForbesTrump\u2019s Crypto Cronies: They Sent The President Money\u2014And Got Off EasyBy Dan Alexander<\/a>ForbesHow Marjorie Taylor Greene Locked In Her Taxpayer-Funded Pension For LifeBy Kyle Khan-Mullins<\/a>ForbesInside IBM\u2019s Quest To Win The Quantum Computer RaceBy William Baldwin<\/a>ForbesWill Bitcoin\u2019s Dive Threaten Michael Saylor\u2019s Strategy?By Nina Bambysheva<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"A security researcher discovered a nasty flaw in Google\u2019s Antigravity tool, the latest example of companies rushing out…\n","protected":false},"author":2,"featured_media":154765,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[102799,365,100026,363,364,102800,4037,1510,367,18724,111,139,69,2437,145,77487],"class_list":{"0":"post-154764","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-aaron-portnoy","9":"tag-ai","10":"tag-antigravity","11":"tag-artificial-intelligence","12":"tag-artificialintelligence","13":"tag-backdoor","14":"tag-coding","15":"tag-cybersecurity","16":"tag-google","17":"tag-hacking","18":"tag-new-zealand","19":"tag-newzealand","20":"tag-nz","21":"tag-security","22":"tag-technology","23":"tag-vulnerabilities"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/154764","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/comments?post=154764"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/154764\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media\/154765"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media?parent=154764"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/categories?post=154764"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/tags?post=154764"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}