{"id":12579,"date":"2025-08-06T19:12:20","date_gmt":"2025-08-06T19:12:20","guid":{"rendered":"https:\/\/usaontheweb.com\/clone1\/microsofts-plan-to-fix-the-web-with-ai-has-already-hit-an-embarrassing-security-flaw\/"},"modified":"2025-08-06T19:12:20","modified_gmt":"2025-08-06T19:12:20","slug":"microsofts-plan-to-fix-the-web-with-ai-has-already-hit-an-embarrassing-security-flaw","status":"publish","type":"post","link":"https:\/\/usaontheweb.com\/clone1\/microsofts-plan-to-fix-the-web-with-ai-has-already-hit-an-embarrassing-security-flaw\/","title":{"rendered":"Microsoft\u2019s plan to fix the web with AI has already hit an embarrassing security flaw"},"content":{"rendered":"
\n

Researchers have already found a critical vulnerability in the new NLWeb protocol Microsoft made a big deal about just just a few months ago at Build. It\u2019s a protocol that\u2019s supposed to be \u201cHTML for the Agentic Web,\u201d offering ChatGPT-like search to any website or app. Discovery of the embarrassing security flaw comes in the early stages of Microsoft deploying NLWeb with customers like Shopify, Snowlake, and TripAdvisor.<\/p>\n

The flaw allows any remote users to read sensitive files, including system configuration files and even OpenAI or Gemini API keys. What\u2019s worse is that it\u2019s a classic path traversal flaw, meaning it\u2019s as easy to exploit as visiting a malformed URL. Microsoft has patched the flaw, but it raises questions about how something as basic as this wasn\u2019t picked up in Microsoft\u2019s big new focus on security.<\/p>\n

\u201cThis case study serves as a critical reminder that as we build new AI-powered systems, we must re-evaluate the impact of classic vulnerabilities, which now have the potential to compromise not just servers, but the \u2018brains\u2019 of AI agents themselves,\u201d says Aonan Guan, one of the security researchers (alongside Lei Wang) that reported the flaw to Microsoft. Guan is a senior cloud security engineer at Wyze (yes, that Wyze) but this research was conducted independently.<\/p>\n

Guan and Wang reported the flaw to Microsoft on May 28th, just weeks after NLWeb was unveiled. Microsoft issued a fix on July 1st, but has not issued a CVE for the issue \u2014 an industry standard for classifying vulnerabilities. The security researchers have been pushing Microsoft to issue a CVE, but the company has been reluctant to do so. A CVE would alert more people to the fix and allow people to track it more closely, even if NLWeb isn\u2019t widely used yet.<\/p>\n

\u201cThis issue was responsibly reported and we have updated the open-source repository,\u201d says Microsoft spokesperson Ben Hope, in a statement to The Verge<\/em>. \u201cMicrosoft does not use the impacted code in any of our products. Customers using the repository are automatically protected.\u201d<\/p>\n

Guan says NLWeb users \u201cmust pull and vend a new build version to eliminate the flaw,\u201d otherwise any public-facing NLWeb deployment \u201cremains vulnerable to unauthenticated reading of .env files containing API keys.\u201d<\/p>\n

While leaking an .env file in a web application is serious enough, Guan argues it\u2019s \u201ccatastrophic\u201d for an AI agent. \u201cThese files contain API keys for LLMs like GPT-4, which are the agent\u2019s cognitive engine,\u201d says Guan. \u201cAn attacker doesn\u2019t just steal a credential; they steal the agent\u2019s ability to think, reason, and act, potentially leading to massive financial loss from API abuse or the creation of a malicious clone.\u201d<\/p>\n

Microsoft is also pushing ahead with native support for Model Context Protocol (MCP) in Windows, all while security researchers have warned of the risks of MCP in recent months. If the NLWeb flaw is anything to go by, Microsoft will need to take an extra careful approach of balancing the speed of rolling out new AI features versus sticking to security being the number one priority.<\/p>\n

\n

Follow topics and authors<\/strong> from this story to see more like this in your personalized homepage feed and to receive email updates.<\/span><\/p>\n

    \n
  • <\/svg><\/span>Tom Warren<\/span><\/span><\/span><\/li>\n
  • <\/li>\n
  • <\/li>\n
  • <\/li>\n
  • <\/li>\n
  • <\/li>\n<\/ul>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    Researchers have already found a critical vulnerability in the new NLWeb protocol Microsoft made a big deal about just just<\/p>\n","protected":false},"author":7282,"featured_media":12580,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1166],"tags":[],"class_list":["post-12579","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-website"],"_links":{"self":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/users\/7282"}],"replies":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/comments?post=12579"}],"version-history":[{"count":0,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12579\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media\/12580"}],"wp:attachment":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media?parent=12579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/categories?post=12579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/tags?post=12579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}