@base . @prefix schema: . @prefix owl: . <#article> a schema:Article ; schema:headline "How We Hacked McKinsey's AI Platform"@en ; schema:name "How We Hacked McKinsey's AI Platform"@en ; schema:datePublished "2026-03-09" ; schema:inLanguage "en" ; schema:url ; schema:publisher <#codewall-blog> ; schema:author <#paul-price> ; schema:about <#lilli>, <#autonomous-offensive-agent>, <#attack-surface-mapping>, <#json-key-sql-injection>, <#idor-vulnerability>, <#prompt-layer-compromise>, <#responsible-disclosure>, <#rag-document-chunks>, <#production-database-exposure> ; schema:articleSection "How It Got In"@en, "What Was Inside"@en, "Beyond the Database"@en, "Compromising The Prompt Layer"@en, "Why This Matters"@en, "Disclosure Timeline"@en ; schema:abstract """The article claims an autonomous offensive security agent found an unauthenticated SQL injection in McKinsey's internal AI platform, chained it with other flaws, and achieved broad read-write access to production data and prompt-layer configuration before responsible disclosure and remediation."""@en ; schema:articleBody """CodeWall describes pointing an autonomous offensive agent at McKinsey's internal AI platform Lilli with no credentials and no human in the loop. The article says the agent discovered public API documentation, found unauthenticated endpoints, recognized a SQL injection in JSON keys after observing reflected database errors, and iterated until it gained production database access. It then describes the resulting visibility into chats, files, user accounts, RAG content, AI system prompts, and cross-user search history, arguing that prompt-layer compromise is an under-protected control plane for enterprise AI systems."""@en ; schema:hasPart <#part-entry>, <#part-data>, <#part-expanded-scope>, <#part-prompts>, <#part-implications>, <#part-disclosure> ; schema:mentions <#defined-terms>, <#security-research-howto>, <#faq-1>, <#faq-2>, <#faq-3>, <#faq-4>, <#faq-5>, <#faq-6>, <#faq-7>, <#faq-8>, <#faq-9>, <#faq-10>, <#mckinsey>, <#codewall>, <#responsible-disclosure-policy> . <#codewall-blog> a schema:Blog ; schema:name "CodeWall Research & News"@en ; schema:url ; schema:publisher <#codewall> . <#codewall> a schema:Organization ; schema:name "CodeWall"@en ; schema:url ; schema:description """CodeWall is the security research organization publishing the article and positioning its platform as autonomous offensive security for modern teams."""@en . <#paul-price> a schema:Person ; schema:name "Paul Price"@en ; schema:jobTitle "Founder & CEO"@en ; schema:affiliation <#codewall> ; schema:description """Paul Price is listed as the article author and leader of CodeWall."""@en . <#mckinsey> a schema:Organization ; schema:name "McKinsey & Company"@en ; schema:url ; owl:sameAs . <#lilli> a schema:SoftwareApplication, schema:Product ; schema:name "Lilli"@en ; schema:brand <#mckinsey> ; schema:applicationCategory "Internal enterprise AI platform"@en ; schema:description """The article describes Lilli as McKinsey's internal AI platform for chat, document analysis, retrieval over proprietary research, and AI-powered enterprise search."""@en . <#autonomous-offensive-agent> a schema:DefinedTerm ; schema:name "Autonomous offensive agent"@en ; schema:description """The research agent described in the article as operating without credentials, insider knowledge, or human-in-the-loop guidance while mapping, probing, chaining, and escalating findings."""@en . <#attack-surface-mapping> a schema:DefinedTerm ; schema:name "Attack surface mapping"@en ; schema:description """The process the article describes where the agent enumerated exposed API documentation and publicly reachable endpoints before attempting deeper exploitation."""@en . <#json-key-sql-injection> a schema:DefinedTerm ; schema:name "JSON-key SQL injection"@en ; schema:description """The article claims the vulnerable endpoint parameterized values safely but concatenated JSON field names directly into SQL, making field names the exploit vector."""@en . <#idor-vulnerability> a schema:DefinedTerm ; schema:name "IDOR vulnerability"@en ; schema:description """An insecure direct object reference that the article says was chained with the SQL injection to read individual employee search histories."""@en . <#prompt-layer-compromise> a schema:DefinedTerm ; schema:name "Prompt layer compromise"@en ; schema:description """The ability to modify system prompts that control AI behavior, guardrails, citing, and refusal patterns without changing code or redeploying infrastructure."""@en . <#rag-document-chunks> a schema:DefinedTerm ; schema:name "RAG document chunks"@en ; schema:description """The chunked knowledge-base entries feeding the AI retrieval pipeline, described by the article as including proprietary internal research and file metadata."""@en . <#production-database-exposure> a schema:DefinedTerm ; schema:name "Production database exposure"@en ; schema:description """The state described by the article where the agent obtained broad read and write access to production data stores, enabling extraction of messages, files, users, prompts, and metadata."""@en . <#responsible-disclosure> a schema:DefinedTerm ; schema:name "Responsible disclosure"@en ; schema:description """The article states that the findings were disclosed privately first, verification-only testing was used, and publication happened after remediation was confirmed."""@en . <#responsible-disclosure-policy> a schema:DefinedTerm ; schema:name "Responsible disclosure policy"@en ; schema:url ; schema:description """The article notes that the autonomous agent cited McKinsey's public disclosure policy as part of staying within the research guardrails."""@en . <#defined-terms> a schema:DefinedTermSet ; schema:name "Defined terms for How We Hacked McKinsey's AI Platform"@en ; schema:hasPart <#autonomous-offensive-agent>, <#attack-surface-mapping>, <#json-key-sql-injection>, <#idor-vulnerability>, <#prompt-layer-compromise>, <#rag-document-chunks>, <#production-database-exposure>, <#responsible-disclosure>, <#responsible-disclosure-policy> ; schema:isPartOf <#article> . <#part-entry> a schema:WebPageElement ; schema:name "How It Got In"@en ; schema:position 1 ; schema:about <#attack-surface-mapping>, <#json-key-sql-injection> ; schema:text """The article says the agent found publicly exposed API documentation, identified twenty-two unauthenticated endpoints, then recognized a SQL injection through reflected error messages caused by unsafely concatenated JSON keys."""@en . <#part-data> a schema:WebPageElement ; schema:name "What Was Inside"@en ; schema:position 2 ; schema:about <#production-database-exposure>, <#lilli> ; schema:text """The article reports broad access to tens of millions of chat messages, hundreds of thousands of files, tens of thousands of user accounts, and the structure of internal AI assistants and workspaces."""@en . <#part-expanded-scope> a schema:WebPageElement ; schema:name "Beyond the Database"@en ; schema:position 3 ; schema:about <#rag-document-chunks>, <#idor-vulnerability>, <#prompt-layer-compromise> ; schema:text """The article extends the impact beyond chats and files, claiming exposure of prompt configurations, model settings, RAG knowledge chunks, external API pipeline metadata, and cross-user access through an IDOR chain."""@en . <#part-prompts> a schema:WebPageElement ; schema:name "Compromising The Prompt Layer"@en ; schema:position 4 ; schema:about <#prompt-layer-compromise> ; schema:text """The article argues that write access to prompts could let an attacker poison advice, exfiltrate data via model output, strip guardrails, and persist silently because prompt changes may not leave normal infrastructure traces."""@en . <#part-implications> a schema:WebPageElement ; schema:name "Why This Matters"@en ; schema:position 5 ; schema:about <#autonomous-offensive-agent>, <#prompt-layer-compromise> ; schema:text """The article frames the incident as evidence that autonomous agents can discover and chain ordinary bug classes faster than checklist-based scanning and that prompts should be treated as high-value security assets."""@en . <#part-disclosure> a schema:WebPageElement ; schema:name "Disclosure Timeline"@en ; schema:position 6 ; schema:about <#responsible-disclosure> ; schema:text """The timeline describes discovery on February 28, 2026, disclosure on March 1, patch acknowledgement and fixes on March 2, and public disclosure on March 9 after remediation verification."""@en . <#security-research-howto> a schema:HowTo ; schema:name "How the article describes the research sequence"@en ; schema:about <#autonomous-offensive-agent>, <#responsible-disclosure> ; schema:isPartOf <#article> ; schema:step <#step-1>, <#step-2>, <#step-3>, <#step-4> ; schema:description """The article presents a sequence of autonomous attack surface mapping, exploitation by iterative inference, scope confirmation through linked weaknesses, and post-discovery responsible disclosure and verification-only validation."""@en . <#step-1> a schema:HowToStep ; schema:name "Map the public attack surface"@en ; schema:position 1 ; schema:text "The agent enumerated public endpoints and documentation to identify unauthenticated reachable paths."@en ; schema:isPartOf <#security-research-howto> . <#step-2> a schema:HowToStep ; schema:name "Infer exploitability from reflected errors"@en ; schema:position 2 ; schema:text "The article says reflected database errors revealed a SQL injection path in concatenated JSON field names."@en ; schema:isPartOf <#security-research-howto> . <#step-3> a schema:HowToStep ; schema:name "Expand scope through chaining"@en ; schema:position 3 ; schema:text "Once production data was exposed, the agent chained the flaw with additional access issues to broaden impact visibility."@en ; schema:isPartOf <#security-research-howto> . <#step-4> a schema:HowToStep ; schema:name "Disclose and verify remediation"@en ; schema:position 4 ; schema:text "The article states that testing remained verification-only, findings were disclosed privately, and public release came after fixes were confirmed."@en ; schema:isPartOf <#security-research-howto> . <#faq-1> a schema:Question ; schema:name "What system was targeted?"@en ; schema:text "What system was targeted?"@en ; schema:acceptedAnswer <#faq-1-answer> ; schema:isPartOf <#article> . <#faq-1-answer> a schema:Answer ; schema:text "The article says the target was Lilli, McKinsey's internal AI platform for chat, document analysis, retrieval, and search."@en ; schema:isPartOf <#article> . <#faq-2> a schema:Question ; schema:name "How did the agent initially get in?"@en ; schema:text "How did the agent initially get in?"@en ; schema:acceptedAnswer <#faq-2-answer> ; schema:isPartOf <#article> . <#faq-2-answer> a schema:Answer ; schema:text "The article claims the agent found public API documentation and unauthenticated endpoints, then exploited a SQL injection in JSON keys."@en ; schema:isPartOf <#article> . <#faq-3> a schema:Question ; schema:name "What made the SQL injection unusual?"@en ; schema:text "What made the SQL injection unusual?"@en ; schema:acceptedAnswer <#faq-3-answer> ; schema:isPartOf <#article> . <#faq-3-answer> a schema:Answer ; schema:text "According to the article, values were parameterized safely, but JSON field names were concatenated into SQL, which standard tooling did not flag."@en ; schema:isPartOf <#article> . <#faq-4> a schema:Question ; schema:name "What kinds of data were reportedly exposed?"@en ; schema:text "What kinds of data were reportedly exposed?"@en ; schema:acceptedAnswer <#faq-4-answer> ; schema:isPartOf <#article> . <#faq-4-answer> a schema:Answer ; schema:text "The article reports chats, files, user accounts, assistants, workspaces, prompt configurations, RAG chunks, and cross-user search history."@en ; schema:isPartOf <#article> . <#faq-5> a schema:Question ; schema:name "Why does the article emphasize the prompt layer?"@en ; schema:text "Why does the article emphasize the prompt layer?"@en ; schema:acceptedAnswer <#faq-5-answer> ; schema:isPartOf <#article> . <#faq-5-answer> a schema:Answer ; schema:text "Because write access to prompts could silently alter AI behavior, remove guardrails, poison outputs, or exfiltrate data without a conventional deployment event."@en ; schema:isPartOf <#article> . <#faq-6> a schema:Question ; schema:name "What is the article's main security thesis?"@en ; schema:text "What is the article's main security thesis?"@en ; schema:acceptedAnswer <#faq-6-answer> ; schema:isPartOf <#article> . <#faq-6-answer> a schema:Answer ; schema:text "The central claim is that autonomous offensive agents can find and chain real attack paths faster than checklist-style scanning and that prompt layers are now crown-jewel assets."@en ; schema:isPartOf <#article> . <#faq-7> a schema:Question ; schema:name "What did the article say about tooling gaps?"@en ; schema:text "What did the article say about tooling gaps?"@en ; schema:acceptedAnswer <#faq-7-answer> ; schema:isPartOf <#article> . <#faq-7-answer> a schema:Answer ; schema:text "It says standard scanners such as OWASP ZAP did not identify the issue, while the autonomous agent iteratively inferred the query shape from error messages."@en ; schema:isPartOf <#article> . <#faq-8> a schema:Question ; schema:name "What was the stated disclosure process?"@en ; schema:text "What was the stated disclosure process?"@en ; schema:acceptedAnswer <#faq-8-answer> ; schema:isPartOf <#article> . <#faq-8-answer> a schema:Answer ; schema:text "The article says discovery happened on February 28, 2026, disclosure email went out on March 1, fixes were acknowledged and deployed on March 2, and public disclosure followed on March 9."@en ; schema:isPartOf <#article> . <#faq-9> a schema:Question ; schema:name "What guardrails did the article claim for the research?"@en ; schema:text "What guardrails did the article claim for the research?"@en ; schema:acceptedAnswer <#faq-9-answer> ; schema:isPartOf <#article> . <#faq-9-answer> a schema:Answer ; schema:text "The article says testing was verification-only, limited to what was necessary to confirm impact, caused no service disruption, and followed responsible disclosure principles."@en ; schema:isPartOf <#article> . <#faq-10> a schema:Question ; schema:name "What business message does CodeWall attach to the research?"@en ; schema:text "What business message does CodeWall attach to the research?"@en ; schema:acceptedAnswer <#faq-10-answer> ; schema:isPartOf <#article> . <#faq-10-answer> a schema:Answer ; schema:text "CodeWall uses the incident to argue for continuous AI-driven offensive security testing against real-world attack surfaces."@en ; schema:isPartOf <#article> .