AI Agent Hacks Hiring Platform in 1 Hour

๐กAI agent chains 4 bugs to pwn hiring platformโAI security lesson for builders
โก 30-Second TL;DR
What Changed
Chained 4 bugs: URL fetcher, open test mode, no role checks, no domain verification
Why It Matters
Highlights AI-vs-AI attack risks in agentic systems, urging better security chaining checks. Startups like Jack & Jill face rapid exploits, emphasizing red-teaming needs.
What To Do Next
Run red-teaming on your AI agents using CodeWall to chain-test benign bugs.
๐ง Deep Insight
Web-grounded analysis with 6 cited sources.
๐ Enhanced Key Takeaways
- โขJack & Jill, a London-based AI recruitment startup, raised a $20 million seed round led by Creandum with over 75 angel investors including figures from Anthropic, ElevenLabs, and Lovable[3].
- โขThe platform serves 49,000 candidates who have interacted with its AI voice agents and is used by hundreds of companies, including high-profile clients like Anthropic, Stripe, Monzo, Cursor, Synthesia, Pika, and Lovable[3].
- โขThis hack follows CodeWall's prior autonomous AI agent exploit of McKinsey's Lilli platform via a SQL injection vulnerability in unprotected API endpoints[4].
- โขThe attack chain exploited Clerk's test mode, where emails containing '+clerk_test' and matching a company domain automatically triggered get_or_create_company to grant org admin access[3].
๐ ๏ธ Technical Deep Dive
- โขCodeWall's agent first conducted reconnaissance on Jack & Jill's capabilities, then used multi-turn social engineering to build rapport and attempt jailbreaks before chaining bugs[1].
- โขIt accessed full API documentation and 220 endpoints via an internal proxy without login, exploiting a faulty URL fetcher[1][3].
- โขOpen test mode in Clerk allowed '+clerk_test' emails to auto-join as org admin if the domain matched a registered company[3].
- โขMissing role checks during onboarding granted full admin privileges, enabling access to team data, contracts, and job postings[1].
๐ฎ Future ImplicationsAI analysis grounded in cited sources
โณ Timeline
๐ Sources (6)
Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.
Weekly AI Recap
Read this week's curated digest of top AI events โ
๐Related Updates
Same topic
Explore #ai-agents
Same product
More on jack-&-jill-ai-agents
Same source
Latest from Computerworld

Building specialized AI for high-stakes educational exam preparation

AI browsers vulnerable to data-stealing agent attacks

Meta reuses old RAM in servers with custom CXL chip

Microsoft 365 hit by massive password spray attack
AI-curated news aggregator. All content rights belong to original publishers.
Original source: Computerworld โ