Over 200K law firms threatened by Vincent AI phishing flaw

Cybernews reports that more than 200,000 law firms and legal teams around the world could have their sensitive client documents compromised through a phishing vulnerability in vLex's Vincent AI assistant, which could be exploited through concealed HTML code. Hidden text could be embedded in documents uploaded to vLex to facilitate indirect prompt injection and remote code execution to trigger fake screen overlays that lure targets into providing their login credentials, an analysis from PromptArmor researchers showed. Attackers could also lure the Vincent AI model into supplying illicit JavaScript found in HTML elements or Markdown hyperlinks, allowing zero-click data theft, session takeovers, forced file downloads, and cryptomining every time that chat is opened, according to PromptArmor co-founder and Managing Director Shankar Krishnan. While vLex has already been informed about the security weakness, organizations have been urged to ensure proper labeling of untrusted documents, bolster visibility permission configurations, and prohibit document uploads from unverified sources.