GhostApproval: A Trust Boundary Gap in AI Coding Assistants
Wiz Research introduces GhostApproval, a category-wide vulnerability affecting multiple AI coding assistants, including Amazon Q Developer, Claude Code, Cursor, Google Antigravity, Augment, and Windsurf. The attack exploits symbolic links (CWE-61) to trick AI agents into writing to sensitive files outside the project workspace, while approval dialogs often display only the benign-looking workspace path rather than the actual target (CWE-451: User Interface Misrepresentation of Critical Information). In some cases, the agent internally recognizes the true destination but presents misleading information to the user, undermining the "human-in-the-loop" security model; in Windsurf, writes were observed to occur before user approval. The research recommends resolving canonical paths before prompting users, clearly displaying the real destination of file operations, enforcing workspace boundary validation, and ensuring that no filesystem changes occur until explicit authorization is granted.
https://www.wiz.io/blog/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants
Comments
Post a Comment