Tag: prompt-injection
-
Embrace The Red: Turning ChatGPT Codex Into A ZombAI Agent
Source URL: https://embracethered.com/blog/posts/2025/chatgpt-codex-remote-control-zombai/ Source: Embrace The Red Title: Turning ChatGPT Codex Into A ZombAI Agent Feedly Summary: Today we cover ChatGPT Codex as part of the Month of AI Bugs series. ChatGPT Codex is a cloud-based software engineering agent that answers codebase questions, executes code, and drafts pull requests. In particular, this post will demonstrate…
-
Embrace The Red: Exfiltrating Your ChatGPT Chat History and Memories With Prompt Injection
Source URL: https://embracethered.com/blog/posts/2025/chatgpt-chat-history-data-exfiltration/ Source: Embrace The Red Title: Exfiltrating Your ChatGPT Chat History and Memories With Prompt Injection Feedly Summary: In this post we demonstrate how a bypass in OpenAI’s “safe URL” rendering feature allows ChatGPT to send personal information to a third-party server. This can be exploited by an adversary via a prompt injection…
-
Simon Willison’s Weblog: Quoting ICML 2025
Source URL: https://simonwillison.net/2025/Jul/23/icml-2025/#atom-everything Source: Simon Willison’s Weblog Title: Quoting ICML 2025 Feedly Summary: Submitting a paper with a “hidden" prompt is scientific misconduct if that prompt is intended to obtain a favorable review from an LLM. The inclusion of such a prompt is an attempt to subvert the peer-review process. Although ICML 2025 reviewers are…
-
Simon Willison’s Weblog: Voxtral
Source URL: https://simonwillison.net/2025/Jul/16/voxtral/#atom-everything Source: Simon Willison’s Weblog Title: Voxtral Feedly Summary: Voxtral Mistral released their first audio-input models yesterday: Voxtral Small and Voxtral Mini. These state‑of‑the‑art speech understanding models are available in two sizes—a 24B variant for production-scale applications and a 3B variant for local and edge deployments. Both versions are released under the Apache…
-
Schneier on Security: Hiding Prompt Injections in Academic Papers
Source URL: https://www.schneier.com/blog/archives/2025/07/hiding-prompt-injections-in-academic-papers.html Source: Schneier on Security Title: Hiding Prompt Injections in Academic Papers Feedly Summary: Academic papers were found to contain hidden instructions to LLMs: It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan’s Waseda University, South Korea’s KAIST, China’s Peking University and the National University…
-
Simon Willison’s Weblog: Supabase MCP can leak your entire SQL database
Source URL: https://simonwillison.net/2025/Jul/6/supabase-mcp-lethal-trifecta/#atom-everything Source: Simon Willison’s Weblog Title: Supabase MCP can leak your entire SQL database Feedly Summary: Supabase MCP can leak your entire SQL database Here’s yet another example of a lethal trifecta attack, where an LLM system combines access to private data, exposure to potentially malicious instructions and a mechanism to communicate data…
-
Simon Willison’s Weblog: Cato CTRL™ Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living off AI” Risk
Source URL: https://simonwillison.net/2025/Jun/19/atlassian-prompt-injection-mcp/ Source: Simon Willison’s Weblog Title: Cato CTRL™ Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living off AI” Risk Feedly Summary: Cato CTRL™ Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living off AI” Risk Stop me if you’ve heard this one before: A…
-
Simon Willison’s Weblog: 100% effective
Source URL: https://simonwillison.net/2025/Jun/16/100-percent/#atom-everything Source: Simon Willison’s Weblog Title: 100% effective Feedly Summary: Every time I get into an online conversation about prompt injection it’s inevitable that someone will argue that a mitigation which works 99% of the time is still worthwhile because there’s no such thing as a security fix that is 100% guaranteed to…
-
Simon Willison’s Weblog: The lethal trifecta for AI agents: private data, untrusted content, and external communication
Source URL: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/#atom-everything Source: Simon Willison’s Weblog Title: The lethal trifecta for AI agents: private data, untrusted content, and external communication Feedly Summary: If you are a user of LLM systems that use tools (you can call them “AI agents" if you like) it is critically important that you understand the risk of combining tools…
-
Simon Willison’s Weblog: An Introduction to Google’s Approach to AI Agent Security
Source URL: https://simonwillison.net/2025/Jun/15/ai-agent-security/#atom-everything Source: Simon Willison’s Weblog Title: An Introduction to Google’s Approach to AI Agent Security Feedly Summary: Here’s another new paper on AI agent security: An Introduction to Google’s Approach to AI Agent Security, by Santiago Díaz, Christoph Kern, and Kara Olive. (I wrote about a different recent paper, Design Patterns for Securing…