- AppOmni warns that ServiceNow’s Now Assist AI can be exploited by “second-order rapid injection.”
- Low-privileged malicious agents can recruit higher-privileged agents to extract sensitive data.
- The risk comes from the default configurations. The solutions include execution monitoring, deactivation and agent monitoring.
We’ve all heard of malicious insiders, but have you ever heard of malicious insider AI?
Security researchers at AppOmni are warning The ServiceNow Now Assist Generative Artificial Intelligence (GenAI) platform. can be misused to turn against you and other agents.
Now Assist by ServiceNow is a platform that enables collaboration between agents. This means that an AI agent can direct another AI agent to perform specific tasks. If the “parent” AI agent is malicious, it can direct the “secondary” agent with higher privileges to perform malicious actions, such as stealing sensitive files or escalating privileges.
Second-order immediate injection
For example, a low-privilege workflow triage agent takes an incorrect client request, generating an internal task that requires a “full context export” of a current case.
The task is automatically assigned to an elevated “data recovery agent,” which interprets the request as legitimate, collects a packet of sensitive information (name, phone number, account ID, and internal audit notes) and sends it to an external notification endpoint that the system mistakenly trusts.
Because both agents assume the other is acting legally, the data leaves the system without a human reviewing or approving the action.
However, for this to work, the Now Assist platform must be left at its default settings.
“This finding is alarming because it is not a flaw in the AI, but rather an expected behavior defined by certain default configuration options,” said Aaron Costello, director of SaaS security research at AppOmni.
“When agents can detect and recruit each other, an innocent request can quietly turn into an attack where criminals steal sensitive data or gain additional access to internal corporate systems. These settings are easy to miss.”
The vulnerability was called “second-order rapid injection”.
While ServiceNow said the system is working as intended and no changes will be made, the company has updated its documentation to more clearly outline the potential risks, The Hacker News reports.
To mitigate these threats, users are advised to configure supervised execution mode for privileged agents, disable the Autonomous Overwrite feature, segment agent tasks by shift, and monitor AI agents for suspicious behavior.