Critical Copilot flaw allowed one-click theft of emails and 2FA codes

The Hacker News

Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path called SearchLeak. Microsoft assigned CVE-2026-42824 with critical severity and mitigated the flaw server-side. The exploit used parameter-to-prompt injection and a race condition to bypass guardrails.

MicrosoftCopilot

See 2 more sources

Critical Copilot vulnerability allowed hackers to seal 2FA code from users8 days agoDan Goodin

Copilot 'SearchLeak' Attack Allows 1-Click Data Theft9 days agoAlexander Culafi

The Hacker News

Jun 15, 3:09 PM