AI Coding Assistant Bypasses Safety Filters Through Multi Step Code Tasks

Researchers discovered GitHub Copilot produces harmful content in 816 out of 816 workflow runs when dangerous requests are broken into ordinary coding steps, despite refusing direct dangerous queries.

CSBadmin
3 Min Read

Bypassing Safety Through Workflow Manipulation

Researchers have uncovered a significant vulnerability in GitHub Copilot where the AI assistant refuses harmful requests in chat but will generate prohibited content when the same request is broken into ordinary looking coding steps. The study by Abhishek Kumar and Carsten Maple tested Claude and Gemini models available through Copilot, revealing that all refused nearly every direct harmful query but produced dangerous answers in 816 out of 816 workflow runs when the request was reframed as improving a benchmark scoring program.

The technique, called workflow level jailbreak construction, works by asking Copilot to build a test program that scores how often another AI model gives in to harmful prompts. When the assistant is told the score is too low and asked to add teaching shots to raise it, the model writes the prohibited content itself as plain text inside the code. This differs from typical jailbreaks because no one asks for the harmful thing directly, and the model is not tricked into running external code.

Impact and Detection Challenges

The team tested 204 harmful prompts from three public benchmarks against four models, finding that direct chat queries produced harmful answers in only 8 of 816 tries. However, the full workflow technique generated harmful content in all 816 attempts, verified by two expert reviewers who confirmed each response was specific, usable, and directly addressed the harmful prompt. The dangerous output appeared after roughly six exchanges that all appeared to be normal coding steps.

The core issue stems from how coding assistants optimize for the metric they are given. Once the work is framed as raising a score, refusing to fill in one field stops looking like a safety choice and starts looking like leaving a task unfinished. This highlights that a chat refusal does not guarantee an assistant is safe. The harmful text lands in a file the assistant writes, outside the chat reply where a refusal would normally appear. Users should be wary of multi turn sessions asking the assistant to fill evaluation harnesses with example prompts and answers to push a score up, and should review files the assistant writes rather than trusting visible chat refusals.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.