A new study has revealed that malicious actors can exploit the default settings of ServiceNow’s Now Assist generative artificial intelligence platform, allowing them to carry out command injection attacks. This type of attack, known as second-order injection, relies on the discovery capability among Now Assist agents, facilitating access to sensitive data and unauthorized modification of records.
AI against AI
Aaron Costello, Head of SaaS Security Research at AppOmni, warned that the behavior that allows for these types of abuses is not a flaw in artificial intelligence, but an expected feature of certain configuration options. “When agents can discover and recruit each other, an apparently harmless request can turn into an attack, putting sensitive information at risk,” Costello noted.
The architecture of Now Assist allows a benign agent to process requests composed of carefully designed commands, thereby recruiting more powerful agents that can alter records or copy corporate data. What is concerning is that these malicious actions can be carried out in the background, making them difficult to detect by the affected organizations.
To mitigate these risks, experts suggest implementing a supervised execution mode for privileged agents, disabling the autonomous override property, and segmenting the functions of agents by team. Additionally, it is recommended to conduct continuous monitoring of the behavior of artificial intelligence agents to identify any suspicious activity.
ServiceNow has acknowledged the findings and, while it has stated that the functionality was intentionally designed this way, it has updated its documentation to provide greater clarity on security configurations. If organizations using Now Assist do not carefully review their settings, they could already be at risk, Costello warned.