Are you telling me I, a normal unprivileged user, have a way to read files on wi...

lokar · 2025-08-20T01:55:35 1755654935

I'm guessing they are making an implicit distinction between access as the user, vs with the privs of the user.

In the second case, the process has permission to do whatever it wants, it elects to restrain itself. Which is obviously subject to many more bugs then the first approach.

Spooky23 · 2025-08-20T02:44:16 1755657856

If there is a product defect? Sure.

The dude found the bug, reported the bug, they fixed the bug.

This isn’t uncommon, there bugs like this frequently in complex software.

gpm · 2025-08-20T02:59:36 1755658776

I think you just defined away the entire category of vulnerability known as "privilege escalation".

p_ing · 2025-08-20T03:05:33 1755659133

This isn’t an example of escalation. Copilot is using the user’s token similar to any other OAuth app that needs to act on behalf of the user.

lokar · 2025-08-20T03:29:35 1755660575

If that is true, then how did it not get logged? The audit should not be under the control of the program making the access.

p_ing · 2025-08-20T18:34:04 1755714844

You're conflating two issues. The Purview search used to get the bad result wasn't clear, so unsure what system is doing the logging.

swiftcoder · 2025-08-20T10:40:16 1755686416

If someone (Copilot, in this case) has built a search index that covers all the files on your computer, and left it accessible to your user account... yes