惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

M
MIT News - Artificial intelligence
有赞技术团队
有赞技术团队
S
Schneier on Security
aimingoo的专栏
aimingoo的专栏
T
Troy Hunt's Blog
U
Unit 42
Hacker News - Newest:
Hacker News - Newest: "LLM"
V2EX - 技术
V2EX - 技术
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
H
Heimdal Security Blog
H
Hacker News: Front Page
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Cloudbric
Cloudbric
Google DeepMind News
Google DeepMind News
C
Cisco Blogs
The Cloudflare Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
MyScale Blog
MyScale Blog
F
Fortinet All Blogs
N
News | PayPal Newsroom
Attack and Defense Labs
Attack and Defense Labs
D
DataBreaches.Net
N
News and Events Feed by Topic
Security Archives - TechRepublic
Security Archives - TechRepublic
Forbes - Security
Forbes - Security
Simon Willison's Weblog
Simon Willison's Weblog
F
Full Disclosure
The Register - Security
The Register - Security
L
LINUX DO - 热门话题
Webroot Blog
Webroot Blog
Google Online Security Blog
Google Online Security Blog
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
Intezer
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
K
Kaspersky official blog
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
T
Threatpost
Spread Privacy
Spread Privacy
小众软件
小众软件
AWS News Blog
AWS News Blog
S
Secure Thoughts
S
Security @ Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
J
Java Code Geeks

Stack Overflow Blog

Paging Charity! How can engineering leaders avoid becoming Bond villains? Code isn’t the only thing causing your production failures Your AI shipped a backend that boots. That is the whole problem. The 2026 Developer Survey is now open (for human developers only)! Oh the places you’ll go with spatial data Dispatches from O'Reilly: From capabilities to responsibilities You don’t understand DNS like you think you do The new bottleneck - Stack Overflow AI agents are a confused deputy with the keys to your kingdom If context is king, architecture is the castle Selenium vs Cypress vs Playwright: Choosing Your Test Automation Framework Designing CherryScript: Optimizing Data-Driven Workflows via Custom Python-Based Interpreters Paging Charity? How do I get my leaders to stop running teams Into the ground? Developers are emotionally attached to their tools When the cost of code approaches zero, what does engineering leadership look like? Announcing Stack Overflow for Agents Creating checkpoints by gaslighting a Postgres database What can 500 years of journalism teach developers about AI trustworthiness? Making the OWASP top ten in the vibe code era What it takes to be a player in the international AI game Best of the Heap: First post of the past The find out stage of AI is just supply chain and password protection In an AI world, the most valuable developers will be both artisans and builders Agents on a leash: Agentic AI remains mostly single-agent and monitored at work Do you have what it takes to run AI in production? Dispatches from O'Reilly: The accidental orchestrator Breaking your AI storage bottlenecks Coding agents are giving everyone decision fatigue Pack your agentic stack in Slack Your fridge could be a threat to national security Interviews aren’t about you (sorry) “You can't vibe code scale”: What the AI hype gets wrong about software engineering No Dumb Questions: What is cloud computing and why is everyone doing it? Observability and human intuition in an AI world How Braze’s CTO is rethinking engineering for the agentic area You shipped it fast. But did you ship it right? Building a Google Drive Sync Engine that Survives MV3 Service Workers Connecting the dots for accurate AI When the Sensor Starts Thinking: SnortML, Agentic AI, and the Evolving Architecture of Intrusion Detection OAuth 2.0 – Device flow explained for Engineers, especially for Backend Engineers Introducing the Heap, the software engineering blog for everyone Compile-Time Map and Compile-Time Mutable Variable with C++26 Reflection No Dumb Questions: What is an MCP server and why do I care? AI giveth and AI taketh CPU How we replaced Ingress-NGINX at Stack Overflow What (un)exactly do you mean by semantic search? Dispatches from O'Reilly: Fast paths and slow paths Time is a construct but it can still break your software The Worst Coder in the World goes agentic: building a leaderboard cracking AI Turning scattered knowledge into trusted intelligence: Stack Internal 2026.3 Your LLM issues are really data issues Welcome to the “find out” stage of AI Lights, camera, open source! - Stack Overflow Black box AI drift: AI tools are making design decisions nobody asked for How to get multiple agents to play nice at scale We still need developer communities No country left behind with sovereign AI Human input needed: take our survey on AI agents Why AI hasn't replaced human expertise—and what that means for your SaaS stack Who needs VCs when you have friends like these? The messy truth of your AI strategies Gen Z needs a knowledge base (and so do you) He designed C++ to solve your code problems Seizing the means of messenger production What the AI trust gap means for enterprise SaaS How can you test your code when you don’t know what’s in it? Prevent agentic identity theft - Stack Overflow Building shared coding guidelines for AI (and people too) Multi-stage attacks are the Final Fantasy bosses of security After all the hype, was 2025 really the year of AI agents? AI is becoming a second brain at the expense of your first one Building a global engineering team (plus AI agents) with Netlify Keeping the lights on for open source Domain expertise still wanted: the latest trends in AI-assisted knowledge for developers Open source for awkward robots The context problem: Why enterprise AI needs more than foundation models Even the chip makers are making LLMs Organizing productive platform teams - Stack Overflow Building brains for bulldozers - Stack Overflow DeveloperWeek 2026: Making AI tools that are actually good AI-assisted coding needs more than vibes; it needs containers and sandboxes No need for Ctrl+C when you have MCP What’s new at Stack Overflow: March 2026 To live in an AI world, knowing is half the battle Beyond block or allow: How pay-per-crawl is reshaping public data monetization Your sneak peek at the redesigned Stack Overflow Dogfood so nutritious it’s building the future of SDLCs Defense against uploads: Q&A with OSS file scanner, pompelmi Even GenAI uses Wikipedia as a source Why Stack Overflow and Cloudflare launched a pay-per-crawl model Mind the gap: Closing the AI trust gap for developers Data is the new oil, and your database is the only way to extract it Even your voice is a data problem How everyone and anyone can use AI for good Is anyone using AI for good? The logos, ethos, and pathos of your LLMs Why demand for code is infinite: How AI creates more developer jobs AI attention span so good it shouldn’t be legal Code smells for AI agents: Q&A with Eno Reyes of Factory Generating text with diffusion (and ROI with LLMs)
AI agents expose the security checks you never actually wrote
Fabio Salvadori · 2026-06-15 · via Stack Overflow Blog

Earlier in June, attackers took control of more than twenty thousand Instagram accounts, including the dormant Obama-era White House account, without writing an exploit or guessing a single password. They opened a chat with Meta's AI support assistant, asked it to attach an email address they controlled to an account they did not own, and requested a password reset to that address. Meta later confirmed what the logs already showed: the assistant behaved exactly as designed, while a separate part of the system was supposed to verify that the email belonged to the account, and that check never ran.

Calling this an AI mistake misses what happened. The assistant carried out a valid sequence of permitted operations for whoever was talking to it. What would have stopped the attack was a person: a support worker who saw a stranger rerouting a celebrity's recovery email, sensed something was wrong, and refused.

A large share of real-world authorization was never written as software at all. Instead, it lived in the discretion of whoever stood between a request and the system, and everything behind them was built assuming that discretion would always be there. Put an agent in that seat and discretion vanishes, while nothing and nobody downstream notices. The agent does not bypass your security model, i justt exposes the part of it that was a person.

Security has a precise term for what Meta hit: the confused deputy. A process holding real privileges is talked by a less-privileged party into using those privileges on its behalf. No clear? It's the night guard who unlocks the vault for anyone who calls and says the boss sent them: he's got the keys, they've just got a good story. The canonical 1988 case was a compiler that could write to a protected billing file. A user who could not write there asked the compiler to do it for them, and it complied, because it had the authority and never asked whose request it was serving.

An LLM agent is one of these by construction. Its interface is natural language, which carries no notion of who is authorized to do what, and the model's whole job is to turn a plausible-sounding sentence into a tool call. A direct API request at least brings the caller's identity along with it. A sentence does not, so unless that identity is reattached before the call fires, the agent acts on its own authority and the requester's permissions never enter the picture.

Agents also cannot reliably separate instructions from data. Everything in the context window reads as potential instruction: the user's message, a retrieved document, the body of an email the agent was asked to summarize. A support bot that resets a password because a convincing chat told it to will just as readily follow a command hidden inside a file it was handed to process. The VPN trick that defeated Meta's geolocation check is the crude version of this. The sophisticated versions, where the malicious instruction is smuggled in through content the agent ingests, are already being documented as the dominant class of agent attack.

The Instagram bot could reset passwords, and that's a serious reach, but a bounded one. The agents shipping now are not bounded that way. In the same week Meta disabled the support tool, it launched its Business Agent, which books appointments, qualifies leads, closes sales, takes payments, and connects to systems like Shopify and Zendesk to act on a company's behalf. Run the same confused-deputy logic through a payment API and a CRM and the failure is no longer a stolen account. It is a refund sent to the wrong party, an order rerouted, a price overridden, a customer record edited, each one a legitimate operation the agent was authorized to perform for whoever asked.

The market is outrunning the security model. Gartner has projected that 40% of enterprise applications will include task-specific AI agents by the end of 2026, up from under 5% at the start of it. Most of those deployments will inherit the same assumption Meta's did, which is that whatever sits at the far end of a privileged action has judgment.

A more capable model behind the same workflow would have handed over the same accounts with better grammar, which is exactly why the model cannot be the place authorization lives, being the part an attacker controls. The decision to allow an action has to be made outside it, by a policy layer that checks who is actually behind the session before anything runs. Meta's assistant never established that the person it was talking to owned the account before it rebound their recovery email.

In a couple lines of code, what shipped looked something like this. The agent could call the function, and being able to call it was the whole authorization:

def add_recovery_email(account, new_email):
    account.recovery_email = new_email      # nothing here ties to the caller
    send_reset_link(new_email)

The fix is not a smarter model or a better prompt. It is the principal check that was missing, decided outside anything the chat can influence:

pythondef add_recovery_email(account, new_email, principal):
    if not principal.owns(account):         # who is actually asking, verified
        raise Unauthorized("session not authenticated as the account owner")
    account.recovery_email = new_email
    send_reset_link(new_email)


The attacker controlled the conversation, but principal comes from the authenticated session, not the chat, so no sequence of convincing messages can satisfy that line.

Agents should hold scoped, short-lived authority instead of standing access. A token minted to summarize a customer's open tickets should be useless for refunding their last order. That is least privilege, but it has to be enforced per action and per resource, not granted once when the session opens and trusted from then on, because an agent will be talked into reaching for everything its credentials permit.

Anything irreversible needs a gate the agent cannot drive through. A confirmation the model can satisfy by generating the right words is not a control, just fluff. Payments, deletions, permission changes, and account recovery belong behind a human approval or a hard policy rule, classified by how much damage they can do rather than waved through on the same path as a routine lookup.

Every action an agent takes should carry its provenance, meaning the principal, the session, and the prompt that produced it, so you can audit what happened and revoke it when something is exploited. Considering that the Instagram attack ran for roughly six weeks, the distance between a contained incident and twenty thousand stolen accounts is often just whether anyone could see, close to real time, that one privileged action was firing again and again for accounts with nothing in common.

None of this is a reason to keep agents away from real systems. They are worth building, and what went wrong at Meta was an ordinary engineering gap, not some property of AI we have to fear. Every fix here is something teams already know how to do: scope the credentials, verify the principal, gate the actions you cannot undo, and keep a record of what ran.

One habit ties them together. Before you connect an agent to anything that matters, ask what the person in that loop used to check. That judgment was real work, and now it has to exist as code, because the agent will not improvise it for you. Do that, and obedience stops being the liability. An agent that does exactly what it is allowed to do is precisely what you want, as long as you have done the work of deciding what it is allowed to do.