서브 에이전트와 에이전트 정의의 조합을 사용하여 요금을 우회할 수 있습니다

Billing can be bypassed using a combo of subagents with an agent definition

132 pointsby napolux2026. 2. 8.68 comments
원문 보기 (github.com)
SecurityAI/MLWeb

요약

VS Code Copilot Chat 확장 프로그램에서 요금 청구를 우회할 수 있는 보안 취약점이 발견되었습니다. 특정 에이전트 정의와 함께 서브 에이전트를 사용하고 "무료" 모델을 활용함으로써 사용자는 무제한의 프리미엄 요청을 할 수 있습니다. 이 취약점은 무료 모델을 초기 에이전트로 구성한 다음, 도구 호출을 통해 서브 에이전트에 프리미엄 모델을 사용하도록 지시하여 값비싼 서비스에 대한 요금을 사실상 무효화합니다.

댓글 (58)

AustinDev3시간 전
Is it just me or is Microsoft really phoning it in recently?
PlatoIsADisease3시간 전
Their software seems like it. Their sales team is brutal.
VerifiedReports3시간 전
Recently? They've been shipping absolute trash for 15 years, and still haven't reached the bottom apparently.
dotancohen2시간 전
You must be new here.

Microsoft notoriously tolerated pirated Windows and Office installations for about a decade and a half, to solidify their usage as de facto standard and expected. Tolerating unofficial free usage of their latest products is standard procedure for MS.

falloutx2시간 전
By recently, you mean since 2007
pixelmelt3시간 전
Was good while it lasted, I hope Microsoft continues their new tradition of vibe coding their billing systems :p
scrubs2시간 전
Oh that was pithy, mean, and just the right amount of taking-it-personally. Well done!
VerifiedReports3시간 전
Billing for what?
rf153시간 전
The access to premium models. This much should have been evident from reading the ticket.
numpad02시간 전
> Copilot Chat Extension Version: 0.37.2026013101

> VS Code Version: 1.109.0-insider (Universal) - f3d99de

Presumably there is such thing as the freemium pay-able "Copilot Chat Extension" for VS Code product. Interesting, I guess.

ramon1563시간 전
The laat comment is a person pretending to be a maintainer of Microsoft. I have a gut feeling that these kind of people will only increase, and we'll have vibe engineers scouring popular repositories to ""contribute"" (note that the suggested fix is vague).

I completely understand why some projects are in whitelist-contributors-only mode. It's becoming a mess.

iib3시간 전
Some were already that and even more, because of other reasons. The Cathedral model, described in "The Cathedral and the Bazaar".
RobotToaster3시간 전
> I completely understand why some projects are in whitelist-contributors-only mode. It's becoming a mess.

That repo alone has 1.1k open pull requests, madness.

markstos2시간 전
No where in the comment do they assert they are work for Microsoft.

This is a peer-review.

albert_e2시간 전
On the other hand ... I recently had to deal with official Microsoft Support for an Azure service degradation / silent failure.

Their email responses were broadly all like this -- fully drafted by GPT. The only thing i liked about that whole exchange was that GPT was readily willing to concede that all the details and observations I included point to a service degradation and failure on Microsoft side. A purely human mind would not have so readily conceded the point without some hedging or dilly-dallying or keeping some options open to avoid accepting blame.

Cyphus2시간 전
I wholly agree, the response screams “copied from ChatGPT” to me. “Contributions” like these comments and drive by PRs are a curse on open source and software development in general.

As someone who takes pride in being thorough and detail oriented, I cannot stand when people provide the bare minimum of effort in response. Earlier this week I created a bug report for an internal software project on another team. It was a bizarre behavior, so out of curiosity and a desire to be truly helpful, I spent a couple hours whittling the issue down to a small, reproducible test case. I even had someone on my team run through the reproduction steps to confirm it was reproducible on at least one other environment.

The next day, the PM of the other team responded with a _screenshot of an AI conversation_ saying the issue was on my end for misusing a standard CLI tool. I was offended on so many levels. For one, I wasn’t using the CLI tool in the way it describes, and even if I was it wouldn’t affect the bug. But the bigger problem is that this person thinks a screenshot of an AI conversation is an acceptable response. Is this what talking to semi technical roles is going to be like from now on? I get to argue with an LLM by proxy of another human? Fuck that.

falloutx2시간 전
Exactly I have seen these know it all comments on my own repos and also tldraw's issues when adding issues. They add nothing to the conversation, they just paste the conversation into some coding tool and spit out the info.
blibble3시간 전
the "AI" bot closing the issue here is particularly funny
anonymars2시간 전
Vibes all the way down. "Please check out this other slop issue with 5-600 other tickets pointed to it" -- I was going to ask, how is anyone supposed to make sense of such a mess, but I guess the answer is "no human is supposed to"
peacebeard3시간 전
My guess is either someone raised this internally and was told it was fine, or knew but didn't bother raising it since they knew they’d be blown off.
zkmon3시간 전
Nothing compared to pirated CDs with Office and Windows, 20 yrs back.
stanac2시간 전
They don't care, they would rather let you use pirated MS software than move to Linux. There is a repo on GH with powershell scripts for activating windows/office and they let it sit there. Just checked, repo has 165K stars.

This could be the same, they know devs mostly prefer to use cursor and/or claude than copilot.

light_hue_13시간 전
Why would you report this?!

A second time. When they already closed your first issue. Just enjoy the free ride.

anonymars2시간 전
Some part of me says, let their vibing have a cost, since clearly "overall product quality going to shit" hasn't had a visible effect on their trajectory
brushfoot2시간 전
Even without hacks, Copilot is still a cheap way to use Claude models:

- $10/month

- Copilot CLI for Claude Code type CLI, VS Code for GUI

- 300 requests (prompts) on Sonnet 4.5, 100 on Opus 4.6 (3x)

- One prompt only ever consumes one request, regardless of tokens used

- Agents auto plan tasks and create PRs

- "New Agent" in VS Code runs agent locally

- "New Cloud Agent" runs agent in the cloud (https://github.com/copilot/agents)

- Additional requests cost $0.04 each

piker2시간 전
+1. I see all these posts about tokens, and I'm like "who's paying by the token?"
[삭제된 댓글]
indigodaddy1시간 전
So 100 Opus requests a month? That's not a lot.
thenewwazoo2시간 전
Every time I see something about trying to control an LLM by sending instructions to the LLM, I wonder: have we really learned nothing of the pitfalls of in-band signaling since the days of phreaking?
Mountain_Skies2시간 전
It'll be a sad day for Little Bobby Tables if in-band signaling ever goes out of fashion.
quadrature2시간 전
Sure but the exploit here isn’t prompt injection, it is an edge case in their billing that isn’t attributing agent calls correctly.
cpa2시간 전
It reminds me of when I used to write lisp, where code is data. You can abuse reflection (and macros) to great effect, but you never feel safe.

See also: string interpolation and SQL injection, (unhygienic) C macros

direwolf201시간 전
Phreaking was an intentional decision, because otherwise they could have carried fewer channels on each link.
g947o2시간 전
> Note: Initially submitted this to MSRC (VULN-172488), MSRC insisted bypassing billing is outside of MSRC scope and instructed me multiple times to file as a public bug report.

Good job, Microsoft.

syl5x2시간 전
I did that weeks ago: https://news.ycombinator.com/item?id=46757318
[삭제된 댓글]
sciencejerk2시간 전
Have confirmed that many of these AI agents and Agentic IDEs implement business logic and guardrails LOCALLY on the device.

(Source: submitted similar issue to different Agentic LLM provider)

direwolf201시간 전
Who would report this? Are they hoping for a bug bounty or they know their competitors are using the technique?