By Jessica Lyons
Publication Date: 2025-12-24 18:22:00
Researchers at Pen Test Partners found four vulnerabilities in Eurostar’s public AI chatbot that could allow an attacker to inject malicious HTML content or cause the bot to leak system prompts, among other security issues. Your thanks from the company: the accusation of “blackmail”.
The researchers reported the vulnerabilities to the high-speed rail service as part of its vulnerability disclosure program. While Eurostar eventually fixed some of the problems, the train operator’s security chief allegedly accused the penetration testing team of blackmail during the responsible disclosure process.
According to a blog published this week by the penetration testing and security consulting firm, here’s what happened.
After initially reporting the security issues in a vulnerability disclosure program email on June 11 and receiving no response, bug hunter Ross Donald said he contacted Eurostar on June 18.
