Copilot broke audit logs, but Microsoft won't tell customers

https://pistachioapp.com/blog/copilot-broke-your-audit-log

143•Sayrus•1h ago

Comments

jayofdoom•1h ago

Generally speaking, anyone can file a CVE. Go file one yourself and force their response. This blogpost puts forth reasonably compelling evidence.

db48x•53m ago

Fun, but it doesn’t deserve a CVE. CVEs are for vulnerabilities that are common across multiple products from multiple sources. Think of a vulnerability in a shared library that is used in most Linux distributions, or is statically linked into multiple programs. Copilot doesn’t meet that criteria.

Honestly, the worst thing about this story is that apparently the Copilot LLM is given the instructions to create audit log entries. That’s the worst design I could imagine! When they use an API to access a file or a url then the API should create the audit log. This is just engineering 101.

gpm•51m ago

Huh, there are CVEs for windows components all the time, random example: https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

Including for end user applications, not libraries, another random example: https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

ecb_penguin•8m ago

> CVEs are for vulnerabilities that are common across multiple products from multiple sources.

This is absolutely not true. I have no idea where you came up with this.

> Honestly, the worst thing about this story is that apparently the Copilot LLM is given the instructions to create audit log entries.

That's not at all what the article says.

> That’s the worst design I could imagine!

Ok, well, that's not how they designed it.

> This is just engineering 101.

Where is the class for reading 101?

aspenmayer•39m ago

It’s true. The form is right here. When they support PGP, I suspect they know what they’re doing and why, and have probably been continuously doing so for longer than I have been alive. Just look at their sponsors and partners.

https://cveform.mitre.org/

Please only use this for legitimate submissions.

nzeid•56m ago

Hard to count the number of things that can go wrong by relying directly on an LLM to manage audit/activity/etc. logs.

What was their bug fix? Shadow prompts?

gpm•54m ago

I'd hope that if a tool the LLM uses reveals any part of the file to the LLM it counts as a read by every user who sees any part of the output that occurred after that revelation was added to the context.

jsnell•44m ago

> Hard to count the number of things that can go wrong by relying directly on an LLM to manage audit/activity/etc. logs.

Nothing in this post suggests that they're relying on the LLM itself to append to the audit logs. That would be a preposterous design. It seems far more likely the audit logs are being written by the scaffolding, not by the LLM, but they instrumented the wrong places. (I.e. emitting on a link or maybe a link preview being output, rather than e.g. on the document being fed to the LLM as a result of RAG or a tool call.)

(Writing the audit logs in the scaffolding is probably also the wrong design, but at least it's just a bad design rather than a totally absurd one.)

nzeid•28m ago

Heard, but since the content or its metadata must be surfaced by the LLM, what's the fix?

nzeid•21m ago

Thinking about this a bit - you'd have to isolate any interaction the LLM has with any content to some sort of middle end that can audit the LLM itself. I'm a bit out of my depth here, though. I don't know what Microsoft does or doesn't do with Copilot.

verandaguy•29m ago

I'm very sceptical of using shadow prompts (or prompts of any kind) as an actual security/compliance control or enforcement mechanism. These things should be done using a deterministic system.

ath3nd•11m ago

I bet you are a fan of OpenAI's groundbreaking study mode feature.

downrightmike•4m ago

Shadow copies

thenaturalist•51m ago

Hardly have I ever seen corporate incentives so aligned to overhype the capabilities of a technology while it being so raw and unpolished as this one.

The bubble bursting will be epic.

lokar•48m ago

Wait, copilot operates as some privileged user (that can bypass audit?), not as you (or better, you with some restrictions)

That can’t be right, can it?

ceejayoz•46m ago

> That can’t be right, can it?

https://knowyourmeme.com/memes/james-franco-first-time

lokar•44m ago

lol. I’ve avoided MS my entire (30+ year) career. Every now and then I’m reminded I made the right choice.

tomrod•28m ago

Brilliant.

tomrod•28m ago

Sure sounds like, for Microsoft, an audit log is optional when it comes to cramming garbage AI integrations in places they don't belong.

Spooky23•25m ago

No, it accesses data with the users privilege.

gpm•3m ago

Are you telling me I, a normal unprivileged user, have a way to read files on windows that bypasses audit logs?

jjkaczor•17m ago

So... basically like when Delve was first introduced and was improperly security trimming things it was suggesting and search results.

... Or ... a very long-time ago, when SharePoint search would display results and synopsis's for search terms where a user couldn't open the document, but could see that it existed and could get a matching paragraph or two... Best example I would tell people of the problem was users searching for things like: "Fall 2025 layoffs"... if the document existed, then things were being planned...

Ah Microsoft, security-last is still the thing, eh?

catmanjan•13m ago

As someone else mentioned the file isnt actually accessed by copilot, rather copilot is reading the pre-indexed contents of the file in a search engine...

Really Microsoft should be auditing the search that copilot executes, its actually a bit misleading to be auditing the file as accessed when copilot has only read the indexed content of the file, I don't say I've visited a website when I've found a result of it in Google

heywire•48m ago

I am so tired of Microsoft cramming Copilot into everything. Search at $dayjob is completely borked right now. It shows a page of results, but the immediately pops up some warning dialog you cannot dismiss that Copilot can’t access some file “” or something. Every VSCode update I feel like I have to turn off Copilot in some new way. And now apparently it’ll be added to Excel as well. Thankfully I don’t have to use anything from Microsoft after work hours.

keyle•35m ago

Everything except the best thing they could have brought back: Clippy! </3

candiddevmike•28m ago

RE: VSCode copilot, you're not crazy, I'm seeing it too. And across multiple machines, even with settings sync enabled, I have to periodically go on each one and uninstall the copilot extension _again_. I'll notice the Add to chat... in the right click context menu and immediately know it got reinstalled somehow.

I'd switch to VSCodium but I use the WSL and SSH extensions :(

userbinator•17m ago

Thankfully I don’t have to use anything from Microsoft after work hours.

There are employers where you don't have to use anything from Microsoft during work hours either.

xet7•47m ago

https://archive.is/PRTRA

Josh5•44m ago

are they even sure that the AI even accessed the content that second time? LLMs are really good and making up shit. I have tested this by asking various LLMs to scrape data from my websites while watching access logs. Many times, they don't and just rely on some sort of existing data or spout a bunch of BS. Gemini is especially bad like this. I have not used copilot myself, but my experience with other AI makes me curious about this.

bongodongobob•39m ago

This is it. M365 uses RAG on your enterprise data that you allow it to access. It's not actually accessing the files directly in the cases he provided. It's working as intended.

crooked-v•20m ago

If that's the case, then as noted in the article, the 'as intended' is probably violating liability requirements around various things.

micromacrofoot•42m ago

AI induced hysteria is probably wider spread than initially thought, these people are absolutely insane

QuadmasterXLII•36m ago

This seems like a five alarm fire for HIPPA, is there something I’m missing?

loeg•35m ago

It's HIPAA.

adzm•30m ago

The HIPAA hippo certainly encourages this confusion

ivewonyoung•29m ago

It's HIPPA now for all intensive purposes.

Spooky23•19m ago

It’s a bug. He reported it, they fixed it.

It is not a five alarm fire for HIPAA. HIPAA doesn’t require that all file access be logged at all. HIPAA also doesn’t require that a CVE be created for each defect in a product.

End of the day, it’s a hand-wavy, “look at me” security blog. Don’t get too crazy.

jeanlucas•24m ago

A better title would be: Microsoft Copilot isn't HIPAA compliant

A title like this will get it fixed faster.

rst•23m ago

It already is fixed -- the complaint is that customers haven't been notified.

Media Transformations from Cloudflare Stream · Changelog

Show HN: Kuse 2.0 – AI Visual Folder: Chaos In, Genius Out

Apple Acquires Styra (Creators of Open Policy Agent)

The Future of JavaScript: What Awaits Us

Computing Machinery and Intelligence (1950)

Why is it so hard for startups to compete with Cadence?

Jellyfin on macOS for a quick self-hosted media library

x86 Emulator from Scratch, in Scratch

Human braincell computer launched commercially

Next.js 15.5

Ask HN: How to prepare for potential layoffs in this AI era?

Unboxing Discourse 3.5

Getting to the Moon or Mars? Musk and Bezos Tackle Space Refueling Problem

Show HN: Discover everything related to MCPs in one place

Runanywhere – Make every CPU and GPU count

Calling Their Bluff

Show HN: Apollo Exporter – Extract and Export Apollo B2B Leads

How to Use iPhone Mirroring with More Than One iPhone

Heart rhythm test could prevent sudden death in those under age 35

Show HN: stagDB – Free and Open-Source database manager with instant branching

Consider the Hermit Crab

Show HN: IndieRadar – AI finds build-worthy problems on Reddit

3k-year-old hymn reveals Bronze age musical links from India to the Medit.n

Ask HN: MCP/API search vs. vector search – what's winning for you?

Concurrency Control as a Service [pdf]

BerkShares (Local Currency)

SoftBank and Trump may not be enough to save Intel

Before Lego Star Wars: Japanese Fan Spent 2,500 Hours Recreating Trilogy in 1996

Ask HN: Hunk by Hunk review Git add -p, whats best UI?

First propaganda detection mechanism for Telegram