GET /congress/2025/event/05e9ba1f-11c5-5d4e-b907-4feecc857ae5/?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": "05e9ba1f-11c5-5d4e-b907-4feecc857ae5",
"kind": "official",
"name": "Agentic ProbLLMs: Exploiting AI Computer-Use and Coding Agents",
"slug": "agentic-probllms-exploiting-ai-computer-use-and-coding-agents",
"url": "https://api.events.ccc.de/congress/2025/event/05e9ba1f-11c5-5d4e-b907-4feecc857ae5/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "During the Month of AI Bugs (August 2025), I responsibly disclosed over two dozen security vulnerabilities across all major agentic AI coding assistants. This talk distills the most severe findings and patterns observed.\r\n\r\nKey highlights include:\r\n* Critical prompt-injection exploits enabling zero-click data exfiltration and arbitrary remote code execution across multiple platforms and vendor products\r\n* Recurring systemic flaws such as over-reliance on LLM behavior for trust decisions, inadequate sandboxing of tools, and weak user-in-the-loop controls.\r\n* How I leveraged AI to find some of these vulnerabilities quickly\r\n* The AI Kill Chain: prompt injection, confused deputy behavior, and automatic tool invocation\r\n* Adaptation of nation-state TTPs (e.g., ClickFix) into AI ClickFix techniques that can fully compromise computer-use systems.\r\n* Insights about vendor responses: from quick patches and CVEs to months of silence, or quiet patching\r\n* AgentHopper will highlight how these vulnerabilities combined could have led to an AI Virus\r\n\r\nFinally, the session presents practical mitigations and forward-looking strategies to reduce the growing attack surface of probabilistic, autonomous AI systems.",
"schedule_start": "2025-12-28T13:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T14:30:00+01:00"
}