16 comments

[ 2.6 ms ] story [ 29.5 ms ] thread
So we know Claude’s mitigation. What is Ramp’s? Same warning dialog?

It’s funny that this technology only admits in-band signaling. Given that, any foreign content is risky. It’s actually quite interesting that the current technological ecosystem is built around a high trust situation: npm, pip, cargo all run foreign code in the developer context and communities have norms of downloading random people’s modules.

And so I suppose it’s no surprise that we use LLMs - another tech that is high-trust: since it has no out of band signaling ability.

But it seems like we’re very close to the end of the era where someone will use (in a sensitive system) arbitrary web content carrying the equivalent of merged code/data.

"The PromptArmor Threat Intel Team responsibly disclosed this vulnerability to Ramp. Ramp's security team indicated that the issue was resolved on May 16, 2026." I think they mean March here
It's kinda awesome that after decades of software and hardware advancements to prevent computers from arbitrarily executing data as instructions, we've decided to let agents arbitrarily execute data as instructions.
It's probably why this "vulnerability" feels like the type of defects you'd see in Windows or desktop applications 20+ years ago.

The root cause was and a complete lack of effort to even attempt to secure things because no one had thought to do so, and now we're starting all over again at a new computing layer. Cloud was somewhat similar, but not nearly as bad.

It's bizarre to me since presumably someone who learned the lessons before is still working, but also great for my job security.

security researchers, pen-testers & whoever is in cybersecurity gonna be making huge amounts of cash based on these insecure agents
What about this is a vulnerability, let alone one that requires responsible disclosure?

Untrusted data sources can provide data that causes bad things to occur. If that's a vulnerability, then any application that ingests data is riddled with vulnerabilities.

I agree that the behavior should change from a default of allowing external network requests to denying them, but this "report" reads like overly dramatic marketing BS.

Find it funny that PromptArmor needed to reach out 3 times in a row to get a nearly month-late response that the issue "was resolved"
I once read about the signalling view of advertising, meaning it's used to show that a company is so prosperous that it can afford spending a lot of money in advertising. In the same way, I think from now on, as much as possible, I'll only buy from companies that will publicly make it a point not to use AI internally. AI use should brand companies as desperate and unreliable.
Concidentially, today I was watching and interview with a lead designer from Ramp who is telling about how they are full ia, agents and automation https://youtu.be/KPDXMtmkcgk
Why is Ramp even building a sheets product? That's the question zero that popped up to my head.