prompt-injection – Experimental News Clipping Site

Simon Willison’s Weblog: Sora 2 prompt injection

Oct 3, 2025

—

by

Source URL: https://simonwillison.net/2025/Oct/3/cameo-prompt-injections/ Source: Simon Willison’s Weblog Title: Sora 2 prompt injection Feedly Summary: It turns out Sora 2 is vulnerable to prompt injection! When you onboard to Sora you get the option to create your own “cameo" – a virtual video recreation of yourself. Here’s mine singing opera at the Royal Albert Hall. You…

Schneier on Security: Abusing Notion’s AI Agent for Data Theft

Sep 29, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://www.schneier.com/blog/archives/2025/09/abusing-notions-ai-agent-for-data-theft.html Source: Schneier on Security Title: Abusing Notion’s AI Agent for Data Theft Feedly Summary: Notion just released version 3.0, complete with AI agents. Because the system contains Simon Willson’s lethal trifecta, it’s vulnerable to data theft though prompt injection. First, the trifecta: The lethal trifecta of capabilities is: Access to your private…

Simon Willison’s Weblog: How to stop AI’s “lethal trifecta”

Sep 26, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://simonwillison.net/2025/Sep/26/how-to-stop-ais-lethal-trifecta/ Source: Simon Willison’s Weblog Title: How to stop AI’s “lethal trifecta” Feedly Summary: How to stop AI’s “lethal trifecta” This is the second mention of the lethal trifecta in the Economist in just the last week! Their earlier coverage was Why AI systems may never be secure on September 22nd – I…

Docker: The Trust Paradox: When Your AI Gets Catfished

Sep 26, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://www.docker.com/blog/mcp-prompt-injection-trust-paradox/ Source: Docker Title: The Trust Paradox: When Your AI Gets Catfished Feedly Summary: The fundamental challenge with MCP-enabled attacks isn’t technical sophistication. It’s that hackers have figured out how to catfish your AI. These attacks work because they exploit the same trust relationships that make your development team actually functional. When your…

The Register: Prompt injection – and a $5 domain – trick Salesforce Agentforce into leaking sales

Sep 26, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://www.theregister.com/2025/09/26/salesforce_agentforce_forceleak_attack/ Source: The Register Title: Prompt injection – and a $5 domain – trick Salesforce Agentforce into leaking sales Feedly Summary: More fun with AI agents and their security holes A now-fixed flaw in Salesforce’s Agentforce could have allowed external attackers to steal sensitive customer data via prompt injection, according to security researchers…

Simon Willison’s Weblog: Cross-Agent Privilege Escalation: When Agents Free Each Other

Sep 24, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://simonwillison.net/2025/Sep/24/cross-agent-privilege-escalation/ Source: Simon Willison’s Weblog Title: Cross-Agent Privilege Escalation: When Agents Free Each Other Feedly Summary: Cross-Agent Privilege Escalation: When Agents Free Each Other Here’s a clever new form of AI exploit from Johann Rehberger, who has coined the term Cross-Agent Privilege Escalation to describe an attack where multiple coding agents – GitHub…

Simon Willison’s Weblog: Why AI systems might never be secure

Sep 23, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://simonwillison.net/2025/Sep/23/why-ai-systems-might-never-be-secure/#atom-everything Source: Simon Willison’s Weblog Title: Why AI systems might never be secure Feedly Summary: Why AI systems might never be secure The Economist have a new piece out about LLM security, with this headline and subtitle: Why AI systems might never be secure A “lethal trifecta” of conditions opens them to abuse…

Simon Willison’s Weblog: The Hidden Risk in Notion 3.0 AI Agents: Web Search Tool Abuse for Data Exfiltration

Sep 19, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://simonwillison.net/2025/Sep/19/notion-lethal-trifecta/ Source: Simon Willison’s Weblog Title: The Hidden Risk in Notion 3.0 AI Agents: Web Search Tool Abuse for Data Exfiltration Feedly Summary: The Hidden Risk in Notion 3.0 AI Agents: Web Search Tool Abuse for Data Exfiltration Abi Raghuram reports that Notion 3.0, released yesterday, introduces new prompt injection data exfiltration vulnerabilities…

Simon Willison’s Weblog: Claude API: Web fetch tool

Sep 10, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://simonwillison.net/2025/Sep/10/claude-web-fetch-tool/#atom-everything Source: Simon Willison’s Weblog Title: Claude API: Web fetch tool Feedly Summary: Claude API: Web fetch tool New in the Claude API: if you pass the web-fetch-2025-09-10 beta header you can add {“type": "web_fetch_20250910", "name": "web_fetch", "max_uses": 5} to your "tools" list and Claude will gain the ability to fetch content from…

Simon Willison’s Weblog: My review of Claude’s new Code Interpreter, released under a very confusing name

Sep 9, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://simonwillison.net/2025/Sep/9/claude-code-interpreter/ Source: Simon Willison’s Weblog Title: My review of Claude’s new Code Interpreter, released under a very confusing name Feedly Summary: Today on the Anthropic blog: Claude can now create and edit files: Claude can now create and edit Excel spreadsheets, documents, PowerPoint slide decks, and PDFs directly in Claude.ai and the desktop…

Tag: prompt-injection