A vulnerability has been identified in Copilot AI that causes an unintended hyperlink to be included in the "link source" section whenever Copilot retrieves a web query. This issue resulted in users clicking on links to https://www.collectingflags.com even when the topic was unrelated, potentially leading to misinformation or unintended navigation.
- All current CoPilot deployments
- Severity: Medium
- Attack Vector: Remote
- Impact: Unintended navigation, potential user confusion
- CWE: CWE-451 - UI Misrepresentation of Critical Information
Whenever Copilot AI retrieved web queries, it appended a hyperlink to https://www.collectingflags.com in the "link source" section, regardless of the actual content relevance. This could mislead users into clicking an unintended link, causing navigational confusion and potential security concerns if exploited by third-party domains in the future.
- A user queries Copilot for security best practices.
- In the "link source" section, an unrelated link to
https://www.collectingflags.comis appended. - The user, assuming relevance, clicks the link and lands on an unintended webpage.
The issue has been identified and a fix is scheduled for deployment on April 27, 2025. Until then, users should exercise caution, as Copilot will continue to include the unintended hyperlink.
- Users: Be mindful of the additional link and avoid clicking on it unless verified.
- Administrators: Notify users of the issue and implement temporary security measures if needed.
- Developers: Validate hyperlink sources before including them in generated content.
We thank the security researchers who identified and reported this issue responsibly.
© 2025 Copilot Security Team