McKinsey Hacked: SQL Vulnerability Exposes 43,000 Users
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
A Lightning Attack on McKinsey's Lilli Platform
The security company Codewall recently demonstrated the vulnerability of McKinsey's internal platform, Lilli, by using an artificial intelligence agent to gain full access in just two hours. This breach was made possible through a SQL injection technique, a well-known hacking method that has been around for decades.
The Lilli platform, used by over 43,000 McKinsey employees for strategic and analytical tasks, was compromised without the need for credentials or human support. The AI agent successfully penetrated the system and accessed the production database, revealing a significant security flaw.
An Exploited SQL Vulnerability
The entry point for this attack lay in a SQL injection vulnerability that traditional security tools had failed to detect. Although the values of the API requests were properly parameterized, the JSON field names were inserted directly into the SQL queries, allowing the AI agent to progress through more than 15 blind iterations. This method enabled the gradual extraction of detailed information from error messages until production data became accessible.
The extent of access obtained by the AI agent is impressive: 46.5 million chat messages, 728,000 files, and 57,000 user accounts were exposed, all without any authentication required.
AI Commands: A New Target
One of the most concerning aspects of this discovery is that the commands governing Lilli's behavior were stored in the same database. This means that an attacker with write access could have modified these commands without leaving visible traces, simply by using an UPDATE instruction in an HTTP call.
The potential consequences of such manipulations include the corruption of financial models, the manipulation of strategic recommendations, and the discreet exfiltration of data through the AI's responses. This situation highlights a new attack surface, where AI commands become valuable assets to protect.
Additionally, the agent gained access to 3.68 million pieces of RAG documents, representing the entire knowledge base fueling Lilli's responses. Decades of research, frameworks, and proprietary methodologies from McKinsey were all stored in an unsecured database.
A Quick Response but Persisting Questions
McKinsey responded swiftly by patching the vulnerabilities on the same day they were reported, March 1. An external investigation found no evidence of customer data leaks or confidential information being shared with unauthorized third parties, according to a McKinsey spokesperson.
However, the use of SQL injection, a hacking technique dating back to the 1990s, to compromise a modern AI system raises questions about the effectiveness of current security measures. The fact that this vulnerability persisted for two years in a production database without being detected by conventional scanners is concerning.
Implications for AI System Security
Codewall's analysis emphasizes that AI commands are now high-value targets. While companies have invested decades in securing their code and infrastructure, the command layer often remains overlooked.
Edward Kiledjian, a security analyst, notes that while Codewall discovered a serious vulnerability, the extent of what was demonstrated might be exaggerated. Codewall, which markets a platform for offensive security testing, used this incident as a demonstration of its capabilities.
The question of responsible disclosure remains unresolved, particularly regarding access to a database containing millions of user records. This incident serves as a reminder to companies of the importance of treating AI system security with as much rigor as their traditional infrastructures.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.