Lenovo AI Chatbot Flaw Opens Door to XSS Attacks and Session Hijacking

Security researchers at Cybernews discovered that Lenovo’s AI-powered customer service bot, Lena, contained a critical cross-site scripting (XSS) vulnerability. By submitting crafted input of around 400 characters, attackers could manipulate the chatbot into returning unsafe HTML or JSON that bypassed server safeguards.

The flaw allowed malicious payloads—such as hidden image elements—to be embedded into responses. These payloads triggered calls to attacker-controlled servers, enabling session cookie theft. With valid session cookies, an adversary could hijack ongoing support chats, impersonate Lenovo agents, and gain access to transcripts or sensitive information exchanged with customers.

The impact extended beyond customer inconvenience. By gaining a trusted foothold in live chats, attackers could launch convincing social engineering attacks or use the compromised interface as a pivot point to deploy malware and establish persistence inside enterprise networks.

Lenovo has since patched the vulnerability, but the case highlights how AI-driven interfaces expand the attack surface. Chatbots frequently handle unstructured input and generate dynamic outputs, which increases the risk of injection attacks compared to traditional applications.

For security testers, the lesson is clear: treat AI systems as critical applications subject to injection testing and output sanitisation checks. Defenders should enforce strict character whitelisting, sandbox AI responses, and keep AI-generated output isolated from sensitive functions. As AI services proliferate, these controls will be essential to prevent seemingly small flaws from escalating into serious enterprise breaches.