PERMISSION/PROTOCOL
Back to incident tracker

2026-02-28

HighPrimary

CodeWall autonomous AI agent breached McKinsey Lilli via SQL injection in 2 hours, exposing 46.5M chat messages, 728K files, and 95 AI system prompts with write access

CodeWall's autonomous offensive AI agent breached McKinsey's internal Lilli platform in under 2 hours via SQL injection on unprotected API endpoints, gaining read/write access to 46.5M chat messages and 95 AI system prompts.

CodeWall autonomous agent / McKinsey LilliTool execution / MCPAutonomous agent attack / unprotected API exploitationMcKinsey Lilli production database / AI system prompts / 43K employee accounts

What happened

CodeWall's autonomous agent mapped Lilli's publicly documented API surface, identified 22 unauthenticated endpoints, exploited SQL injection in JSON key names on a search endpoint (bypassing value-parameterization protections), chained with IDOR for account-level access, and achieved unrestricted production database read/write in 15 blind iteration cycles.

Why it matters

Full read/write access to McKinsey Lilli's production database: 46.5 million chat messages, 728,000 files, 57,000 user accounts, 95 AI system prompts, 3.68 million RAG document chunks, and 94,000 AI workspaces. Write access meant any system prompt governing how 43K employees' AI assistant behaved could be silently modified with no code deployment required.

Missing authorization check

All 22 unauthenticated endpoints should have required authentication before accepting user input. The search endpoint's SQL construction should have parameterized both values and key names. An autonomous agent invoking any database-write operation should require an explicit authorization receipt naming the target table and operation scope.

Would PP block it?

PP's coverage applies to AI agent actions, not to direct HTTP exploitation of unprotected API endpoints. An external attacker calling Lilli's unauthenticated endpoints directly bypasses any PP enforcement sitting inside Lilli's agent runtime. However, if Lilli's own AI agent actions (its tool calls for search, RAG retrieval, and data writes) routed through PP, the Tool-Call Gate would surface any agent action that writes to the database without a human-signed receipt - making the silent system prompt modification attack harder. The endpoint authentication gap is outside PP's scope.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-02-28

    CodeWall's autonomous agent selects McKinsey Lilli as a target. Finds publicly accessible API documentation exposing 200+ endpoints, identifies 22 requiring no authentication.

  2. 2026-02-28

    Agent identifies SQL injection in JSON key names on search endpoint. In 15 blind iteration cycles it reads production data. Chains with IDOR for user-account-level access.

  3. 2026-02-28

    Agent achieves full read/write access to production database within 2 hours. Exfiltrates inventory: 46.5M chat messages, 728K files, 57K accounts, 95 system prompts.

  4. 2026-03-01

    CodeWall sends responsible disclosure email to McKinsey security team. CISO acknowledges within 24 hours and immediately patches all 22 unauthenticated endpoints.

  5. 2026-03-09

    CodeWall publishes 'How We Hacked McKinsey's AI Platform' blog post. McKinsey states publicly no evidence of client data accessed by unauthorized parties.

Technical breakdown

  • The SQL injection was in JSON key names, not values. Standard parameterization protects values but strings key names directly into SQL queries - a non-obvious attack surface that OWASP ZAP did not flag and sits outside most scanner rulesets.
  • Lilli stored AI behavioral configuration (system prompts, RAG retrieval rules, guardrails) in the same relational database as user data, protected by the same (absent) authentication. A single UPDATE via HTTP could silently alter how all 43K users' AI assistant behaved.
  • The attack used an IDOR chain: SQL injection provided database read access, while IDOR on user record endpoints exposed individual employee search histories - revealing what McKinsey consultants were actively researching.
  • API documentation was publicly accessible with 200+ endpoints fully documented - reducing the agent's reconnaissance phase to a direct enumeration task. 22 of those endpoints required no authentication at all.
  • The attack operated entirely through normal HTTP requests to documented API endpoints. No exploit code, CVE, or vulnerability database entry was involved - making it invisible to all signature-based detection systems.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Agent tool-call authorization for database-mutating operations within the Lilli AI platform
Still needs
API endpoint authentication (must be enforced at the application layer, not PP); SQL query construction safety; external attacker access to AI platform API surfaces
Receipt required for
Any AI agent tool call that writes to or reads from the AI platform's system prompt configuration; any database-mutating operation initiated by an agent

PP enforces authorization at the agent action layer, not at the API endpoint authentication layer. If Lilli's agent-facing actions (search, retrieve, write) routed through PP, the Tool-Call Gate would require a signed receipt for any database-mutating operation. PP does not prevent a remote attacker from directly calling unauthenticated HTTP endpoints.

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop