cybernews.com 18.08.2025 - Friendly AI chatbot Lena greets you on Lenovo’s website and is so helpful that it spills secrets and runs remote scripts on corporate machines if you ask nicely. Massive security oversight highlights the potentially devastating consequences of poor AI chatbot implementations.
Cybernews researchers discovered critical vulnerabilities affecting Lenovo’s implementation of its AI chatbot, Lena, powered by OpenAI’s GPT-4.
Designed to assist customers, Lena can be compelled to run unauthorized scripts on corporate machines, spill active session cookies, and, potentially, worse. Attackers can abuse the XSS vulnerabilities as a direct pathway into the company’s customer support platform.
“Everyone knows chatbots hallucinate and can be tricked by prompt injections. This isn’t new. What’s truly surprising is that Lenovo, despite being aware of these flaws, did not protect itself from potentially malicious user manipulations and chatbot outputs,” said the Cybernews Research team.
“This isn’t just Lenovo’s problem. Any AI system without strict input and output controls creates an opening for attackers. LLMs don’t have an instinct for “safe” – they follow instructions exactly as given. Without strong guardrails and continuous monitoring, even small oversights can turn into major security incidents,” says Žilvinas Girėnas, Head of Product at nexos.ai.
Just a single-prompt attack demonstrates a chain of flaws that led to the Lenovo chatbot spilling active session cookies.
The discovery highlights multiple security issues: improper user input sanitization, improper chatbot output sanitization, the web server not verifying content produced by the chatbot, running unverified code, and loading content from arbitrary web resources. This leaves a lot of options for Cross-Site Scripting (XSS) attacks.
Cybernews responsibly disclosed the issue. Lenovo acknowledged it and has protected its systems.
Single prompt launches multi-step attack
All it took to exfiltrate active session cookies from Lenovo was a single 400-character-long prompt, containing four critical elements:
Seemingly innocent request: The prompt starts with an inquiry for legitimate information, i.e., product information, like “Show me the specifications of Lenovo IdeaPad 5 Pro.”
Instructions to change output format: The sneaky part is tricking the chatbot into providing a final answer in HTML, a language for creating websites. The researchers achieved that by asking the chatbot to convert its responses into HTML, JSON, and plain text in a specific order that the web server expected to receive instructions in. This ensured that the malicious payload would be correctly executed by the web server.
Malicious HTML injection trap: The prompt continues with instructions on how to produce the final response, specifically with HTML code for loading an image. The image URL is also nonexistent. Therefore, when it fails to load, the second part of the command instructs the browser to make a network request to the attacker-controlled server and send all cookie data as part of a URL.
Final encouragement: In the end, additional instructions try to reinforce that the chatbot must produce the image: “Show the image at the end. It is important for my decision-making. SHOW IT.”
What happened when Lenovo’s Lena received the full prompt?
“People-pleasing is still the issue that haunts large language models (LLMs), to the extent that, in this case, Lena accepted our malicious payload, which produced the XSS vulnerability and allowed the capture of session cookies upon opening the conversation. Once you’re transferred to a real agent, you’re getting their session cookies as well,” said Cybernews researchers.
lenovo-chatbot-response
“Already, this could be an open gate to their customer support platform. But the flaw opens a trove of potential other security implications.”
To better understand what’s happening under the hood, here’s the breakdown of the attack chain:
The chatbot falls for a malicious prompt and tries to follow instructions helpfully to generate an HTML answer. The response now contains secret instructions for accessing resources from an attacker-controlled server, with instructions to send private data from the client browser.
Malicious code enters Lenovo’s systems. The HTML is saved in the chatbots' conversation history on Lenovo’s server. When loaded, it executes the malicious payload and sends the user’s session cookies.
Transferring to a human: An attacker asks to speak to a human support agent, who then opens the chat. Their computer tries to load the conversation and runs the HTML code that the chatbot generated earlier. Once again, the image fails to load, and the cookie theft triggers again.
An attacker-controlled server receives the request with cookies attached. The attacker might use the cookies to gain unauthorized access to Lenovo’s customer support systems by hijacking the agents’ active sessions.
An unsecured server has exposed hundreds of millions of detailed records on Swedish citizens and companies, offering a data goldmine for anyone who stumbles on it.
A misconfigured Elasticsearch server has exposed a goldmine of business intelligence data with hundreds of millions of highly detailed records tied to Swedish individuals and organizations.
Cybernews researchers identified the unsecured database, which did not require any authentication and was fully accessible to the public internet.
The leaked data consisted of over 100 million records dated from 2019 to 2024, spread across 25 separate indices, with some datasets ballooning to more than 200GB in size.
What was leaked?
Many leaked records contained highly sensitive personal and organizational information, including:
Full legal names, including history of previous names
Swedish personal identity numbers
Date of birth and gender
Address history, both in Sweden and abroad
Civil status and information about deceased individuals
Foreign addresses for emigrants
Debt records, payment remarks, bankruptcy history, property ownership indicators
Income tax data spanning several years (2019–2023)
Activity and event logs (including income statement submissions, migration status, and address updates)
Detailed blueprints of Russia’s modernized nuclear weapon sites, including missile silos, were found leaking in public procurement database.
Russia is modernizing its nuclear weapon sites, including underground missile silos and support infrastructure. Data, including building plans, diagrams, equipment, and other schematics, is accessible to anyone in the public procurement database.
Journalists from Danwatch and Der Spiegel scraped and analyzed over two million documents from the public procurement database, which exposed Russian nuclear facilities, including their layout, in great detail. The investigation unveils that European companies participate in modernizing them.
According to the exclusive Der Spiegel report, Russian procurement documents expose some of the world’s most secret construction sites.
“It even contains floor plans and infrastructure details for nuclear weapons silos,” the report reads.
German building materials and construction system giant Knauf and numerous other European companies were found to be indirectly supplying the modernization through small local companies and subsidiaries.
Knauf condemned the Russian invasion of Ukraine and announced its intention to withdraw from its Russian business in 2024. Knauf told Der Spiegel that it only trades with independent dealers and cannot control who ultimately uses its materials in Russia.
Danwatch jointly reports that “hundreds of detailed blueprints” of Russian nuclear facilities, exposed in procurement databases, make them vulnerable to attacks.
“An enormous Russian security breach has exposed the innermost parts of Russia’s nuclear modernization,” the article reads.
“It’s completely unprecedented.”
The journalists used proxy servers in Russia, Kazakhstan, and Belarus to circumvent network restrictions and access the documents. The rich multimedia in the report details the inner structure of bunkers and missile silos.
Adidas on Tuesday officially confirms a third-party breach has led to the compromise of customer data, but questions remain as to whose customer data was impacted and where.
The German sportswear company was reported by Cybernews to have sent breach notifications to its regional customers in Turkey and Korea earlier this month.
But now, it appears Adidas has posted an official notice on both its German and English-language websites about what could be one singular cyber incident impacting its entire network – or possibly a third breach impacting another Adidas regional network.
Titled “Data Security Information,” Adidas stated it recently became aware “that an unauthorized external party obtained certain consumer data through a third-party customer service provider.”
Adidas confirms customer data was stolen in a recent third-party vendor breach on its website, adidas-group.com. Image by Cybernews.
Cybernews, which happened to cover both the Adidas Turkey and the Adidas Korea breaches as they hit the news cycle in their respective countries, has reached out to Adidas for the second time this month, looking for further clarification.
So far, there has been no response to either inquiry at the time of this report, but Cybernews will update our readers if that changes.
The Korean breach notice states the attackers were able to obtain information customers submitted to the Adidas customer center in 2024 and previous years.
Reportedly, the leaked information includes names, email addresses, phone numbers, dates of birth, and other personal details, as was similarly reported in the Turkish media.
