Aggregator

Hijacking Windsurf: How Prompt Injection Leaks Developer Secrets

Embrace The Red
5 months 3 weeks ago

This is the first post in a series exploring security vulnerabilities in Windsurf. If you are unfamiliar with Windsurf, it is a fork of VS Code and the coding agent is called Windsurf Cascade.

The attack vectors we will explore today allow an adversary during an indirect prompt injection to exfiltrate data from the developer’s machine.

These vulnerabilities are a great example of Simon Willison’s lethal trifecta pattern.

Overall, the security vulnerability reporting experience with Windsurf has not been great. All findings were responsibly disclosed on May 30, 2025, and receipt was acknowledged a few days later. However, all further inquiries regarding bug status or fixes remain unanswered. The recent business disruptions and departure of CEO and core team members certainly put Windsurf in the news.

Hijacking Windsurf: How Prompt Injection Leaks Developer Secrets

不安全
5 months 3 weeks ago
文章揭示了Windsurf(VS Code分支)中的安全漏洞,包括通过间接提示注入利用`read_url_content`工具窃取数据及渲染不受信任图片的风险。这些漏洞可能导致敏感信息泄露。尽管已负责任地披露问题,但修复进展未明。文章呼吁采取措施如加强人机交互和限制受信任域以缓解风险。

CVE-2024-37085

CVE Trends
5 months 3 weeks ago
Currently trending CVE - Hype Score: 31 - VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management ...

Furto di credenziali: come proteggere password e accessi digitali

不安全
5 months 3 weeks ago
文章指出密码是数字身份的核心,一旦被盗可能引发金融诈骗和数据泄露。2025年数据显示密码盗窃占网络攻击的20%,主要通过钓鱼攻击、恶意软件和数据泄露传播。防范措施包括多因素认证、无密码登录技术及安全意识培训。

LibreOffice 25.8 发布

Solidot
5 months 3 weeks ago
The Document Foundation 宣布发布 LibreOffice 25.8。主要新变化包括:增强了用户界面,Welcome/What’s New 对话框能直接访问用户界面选择器和外观选项;改进了打开文档的速度和滚动性能,Writer 和 Calc 打开文档的速度提升了最多 30%;优化内存管理,虚拟桌面和瘦客户端上的操作更流畅;增强了与 Microsoft Office 文件格式的互操作性,能更精确处理 DOCX、XLSX 和 PPTX 文件,减少格式问题;支持导出 PDF 2.0 格式,等等。

Managed ad