Back
Technology

Security Flaw Identified in Orchids AI Coding Platform Allowing Zero-Click Hacks

Generated on: Last updated: 1 sources
View source

Significant Zero-Click Cybersecurity Flaw Uncovered in Popular AI Coding Platform, Orchids

A significant, unfixed cyber-security vulnerability has been identified in Orchids, a popular AI coding platform that allows non-technical users to build applications via text prompts. The flaw was demonstrated to the BBC by cybersecurity researcher Etizaz Mohsin.

Vulnerability Details: Zero-Click Attack Demonstrated

Mohsin demonstrated that by exploiting a weakness in Orchids, he could gain access to a user's project, view and edit code, and inject malicious code. This allowed him to compromise a test laptop without any user interaction, installing a file and changing the wallpaper. This type of attack is known as a "zero-click" attack, as it requires no action from the victim to succeed.

Severe Potential Risks

The implications of such a hack are extensive and could be devastating for users:

  • Installation of viruses or malware on a user's machine.
  • Theft of private or financial data.
  • Access to internet history, cameras, and microphones.

About the Orchids Platform

Orchids claims to have a million users and is reportedly used by companies such as Google, Uber, and Amazon. It is rated highly for certain aspects of vibe-coding by analysts. The company, founded in 2025 and based in San Francisco, operates with fewer than 10 employees.

Delayed Company Response and Expert Warnings

Mohsin attempted to contact Orchids for several weeks regarding the flaw before receiving a response. The company indicated they might have missed his warnings due to being "overwhelmed with inbound" messages.

Cybersecurity experts are now emphasizing the significant security risks associated with agentic AI tools that autonomously carry out tasks.

Kevin Curran, professor of cybersecurity at Ulster University, stated that such code often fails under attack without proper discipline, documentation, and review.
Karolis Arbaciauskas, head of product at NordPass, advised caution, recommending users run these tools on separate, dedicated machines with disposable accounts due to the high level of access they require.