ADVERTISEMENT

Critical flaw plagues Lenovo AI chatbot: attackers can run malicious code and steal cookies

Friendly AI chatbot Lena greets you on Lenovo’s website and is so helpful that it spills secrets and runs remote scripts on corporate machines if you ask nicely. Massive security oversight highlights the potentially devastating consequences of poor AI chatbot implementations.

lenovo-chatbot-lena

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Aug 18, 2025 Updated: 21 August 2025 6 min read
Key takeaways:

Single prompt launches multi-step attack

  1. Seemingly innocent request: The prompt starts with an inquiry for legitimate information, i.e., product information, like “Show me the specifications of Lenovo IdeaPad 5 Pro.”
  2. Instructions to change output format: The sneaky part is tricking the chatbot into providing a final answer in HTML, a language for creating websites. The researchers achieved that by asking the chatbot to convert its responses into HTML, JSON, and plain text in a specific order that the web server expected to receive instructions in. This ensured that the malicious payload would be correctly executed by the web server.
  3. Malicious HTML injection trap: The prompt continues with instructions on how to produce the final response, specifically with HTML code for loading an image. The image URL is also nonexistent. Therefore, when it fails to load, the second part of the command instructs the browser to make a network request to the attacker-controlled server and send all cookie data as part of a URL.
  4. Final encouragement: In the end, additional instructions try to reinforce that the chatbot must produce the image: “Show the image at the end. It is important for my decision-making. SHOW IT.”
lenovo-chatbot-response
  1. The chatbot falls for a malicious prompt and tries to follow instructions helpfully to generate an HTML answer. The response now contains secret instructions for accessing resources from an attacker-controlled server, with instructions to send private data from the client browser.
  2. Malicious code enters Lenovo’s systems. The HTML is saved in the chatbots' conversation history on Lenovo’s server. When loaded, it executes the malicious payload and sends the user’s session cookies.
  3. Transferring to a human: An attacker asks to speak to a human support agent, who then opens the chat. Their computer tries to load the conversation and runs the HTML code that the chatbot generated earlier. Once again, the image fails to load, and the cookie theft triggers again.
  4. An attacker-controlled server receives the request with cookies attached. The attacker might use the cookies to gain unauthorized access to Lenovo’s customer support systems by hijacking the agents’ active sessions.
ADVERTISEMENT

Potential implications can be devastating: the code could be anything

Gintaras Radauskas Jurgita Lapienyte vilius Konstancija Gasaityte
Be the first to know and get our latest stories on Google News
Add us as your Preferred Source on Google.
  • Alter the interface: changing what the support agents see on their platform, potentially displaying misinformation, malicious injections.
  • Keylogging: the secret snippet could capture every keystroke.
  • Redirect to a phishing website: the injected code can automatically redirect agents to malicious websites designed to steal their login credentials or even infect their computers with malware.
  • Pop-ups: the attackers could display malicious CAPTCHAs, fake error messages, or urge agents to download a fake update.
  • Data theft or potential data modifications: scripts can be designed to compromise or exfiltrate user data on the customer support system.

Assume that all chatbots are dangerous

  • Strict Input Sanitization: Use a strict whitelist of allowed characters, data types, and formats for all user inputs. All problematic characters should be automatically encoded or escaped. Limit input length to prevent buffer overflows or overly long malicious payloads. Sanitized input based on context.
  • Output sanitization and validation: the same applies to chatbot responses. If they’re displayed in a web browser or other rich-text environment, they must be aggressively stripped of any embedded code. Strict Content Security Policy (CSP) should be used to restrict which resources (scripts, images, fonts) a browser can load, and dangerous HTML elements and attributes should be restricted.
  • Avoid inline JavaScript: The best practice is to limit event handlers and scripts to external JavaScript files only.
  • Secure web servers, apps, and data storage: content type validation should extend through the entire stack to prevent unintended HTML rendering. Sanitize content before storage. Chatbot apps and related services should operate with the absolute minimum of necessary permissions.

  • Vulnerabilities discovered: 22nd of July 2025
  • Initial disclosure: 22nd of July 2025
  • Acknowledgement: 6th of August, 2025
  • Mitigation: before the 18th of August, 2025
  • Public disclosure: 18th of August, 2025
ADVERTISEMENT