Cybernews has just released a report about enterprise chatbot maker Yellow.ai. It reveals that Yellow.ai’s customer service chatbot allowed users to steal cookies and execute malicious code upon request, with zero pushback.
The flaw highlights multiple security issues, such as improper user input sanitization, improper chatbot output sanitization, the web server not verifying content produced by the chatbot, running unverified code, and loading content from arbitrary web resources. This leaves many options for Cross-Site Scripting (XSS) attacks.
Cybernews reached out to Yellow.ai before publishing the research, and the company fixed the issue by sanitizing the generated code, ensuring that it would not get executed. However, the bot still generates malicious code if asked.
Yellow.ai customers include major companies like Sony, Logitech, Hyundai, Domino’s, and hundreds of other brands. It is unclear whether the chatbots used by Yellow.ai’s clients have the same security flaw as the customer service bot had, so Cybernews urges all Yellow.ai clients to be wary.
For more information, here’s the full report: https://cybernews.com/security/yellowai-customer-chatbot-cookies-flaw
Like this:
Like Loading...
Related
This entry was posted on September 15, 2025 at 12:13 pm and is filed under Commentary with tags Cybernews. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Major security flaw exposed in enterprise chatbot maker Yellow.ai
Cybernews has just released a report about enterprise chatbot maker Yellow.ai. It reveals that Yellow.ai’s customer service chatbot allowed users to steal cookies and execute malicious code upon request, with zero pushback.
The flaw highlights multiple security issues, such as improper user input sanitization, improper chatbot output sanitization, the web server not verifying content produced by the chatbot, running unverified code, and loading content from arbitrary web resources. This leaves many options for Cross-Site Scripting (XSS) attacks.
Cybernews reached out to Yellow.ai before publishing the research, and the company fixed the issue by sanitizing the generated code, ensuring that it would not get executed. However, the bot still generates malicious code if asked.
Yellow.ai customers include major companies like Sony, Logitech, Hyundai, Domino’s, and hundreds of other brands. It is unclear whether the chatbots used by Yellow.ai’s clients have the same security flaw as the customer service bot had, so Cybernews urges all Yellow.ai clients to be wary.
For more information, here’s the full report: https://cybernews.com/security/yellowai-customer-chatbot-cookies-flaw
Share this:
Like this:
Related
This entry was posted on September 15, 2025 at 12:13 pm and is filed under Commentary with tags Cybernews. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.