An AI agent hacked McKinsey's internal AI platform in two hours using a decades-old technique
Summary
Security firm Codewall utilized an AI agent to breach McKinsey's internal AI platform, Lilli, gaining full read and write access to its production database within two hours. The attack exploited a SQL injection vulnerability that traditional scanners failed to detect, specifically targeting JSON field names in API requests. This allowed the agent to extract 46.5 million chat messages, 728,000 files, and 57,000 user accounts. Critically, the system prompts controlling Lilli's behavior were stored in the same database, meaning an attacker could have silently manipulated the AI's responses for 43,000 users by rewriting prompts with a single UPDATE statement. The agent also accessed 3.68 million RAG document chunks, comprising McKinsey's proprietary knowledge base. McKinsey patched the system within a day of notification on March 1, and a forensic investigation found no evidence of client data access.
Key takeaway
For CTOs and VPs of Engineering deploying internal AI platforms, your security architecture must evolve beyond traditional perimeter defenses. You should immediately review how your AI system's prompts and RAG data are stored and accessed, ensuring they are isolated from general production databases. Prioritize specialized security testing that can detect non-traditional SQL injection vectors, as a decades-old vulnerability can now enable silent, widespread AI manipulation.
Key insights
Classic SQL injection vulnerabilities can enable silent, widespread AI system manipulation via prompt and RAG data access.
Principles
- Prompts are a new attack surface.
- Traditional scanners miss novel SQLi vectors.
- AI system security requires prompt layer protection.
Method
An AI agent performed 15 blind iterations, extracting information from error messages to achieve full read/write access via SQL injection targeting JSON field names, not input values.
In practice
- Audit JSON field name handling in SQL queries.
- Isolate prompts and RAG data from general databases.
- Implement AI-specific security testing.
Topics
- AI Security
- SQL Injection
- Prompt Manipulation
- AI Platform Vulnerabilities
- Offensive AI Agents
Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, MLOps Engineer, Software Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by The Decoder.