(Credit: Shutterstock / valiantsin suprunovich)
Company chatbots are hit or miss when it comes to serving up useful information, and they may not be ready to handle sensitive health data.
As Dark Reading reports, cybersecurity researchers at Tenable discovered "critical vulnerabilities" with Microsoft's Azure Health Bot Service that could have put people's health data at risk.
Azure's bot service is a cloud platform that helps healthcare professionals deploy AI-powered virtual health assistants. Organizations can create experiences that work alongside human employees to help manage administrative workflows and better engage with patients. And for that to work, the bot needs access to some patient information.
The Azure Health Bot Service includes a data-connection component that allow bots "to interact with external data sources to retrieve information from other services that the provider may be using, such as a portal for patient information or a reference database for general medical information," Tenable says.
However, researchers found they could connect "using a malicious external host, and [set] that up to respond to any queries from the platform with 301 or 302 redirect codes indicating that the web page had been permanently moved," Dark Reading explains. "Those redirect responses were sent back to the [service's internal metadata service], which in turn responded with metadata that leaked the access tokens."
Ultimately, the bug gave Tenable access to "hundreds and hundreds of resources belonging to other customers."
Tenable notified Microsoft in June and it issued a fix. Tenable also got a bug bounty, but says "no evidence was discovered that indicated this issue had been exploited by a malicious actor."