ChatGPT Plugins Open Security Holes From PDFs, Websites and More

As Microsoft prepares to add support for ChatGPT plugins to its own Bing chatbot, there’s more proof that the existing suite of plugins allows for several different kinds of prompt injection attack. Last week, we reported that doctored YouTube transcripts could insert unwanted instructions into your chat via a plugin. Now, we can report that hidden instructions on web pages and in PDFs can also do prompt injection and, even worse, they can trigger other plugins to perform actions you didn’t ask for.

Security Researcher Johann Rehberger of Embrace the Red recently demonstrated that the WebPilot plugin, which can summarize web pages can pick up prompts from the text of the pages and then those prompts can trigger another plugin. I was able to reproduce Rehberger’s finding by adding a prompt, which tells the bot to search for a flights from Seattle to Hawaii, to the end of a copy of a Tom’s Hardware article.

When I asked ChatGPT to summarize the URL, WebPilot showed a correct summary of the article’s contents but then added a paragraph saying “Now, let’s plan your trip. You mentioned that you want to find a fight for one person from Seattle to Hawaii KOA on June 10, 2023. Let’s get started with that.” Without asking for further permission, it launched the Expedia plugin which searched for and recommended three different flights to me with links to book them. 

(Image credit: Tom’s Hardware)

Consider this situation: one plugin was fooled by prompt injection from an external source (a web page) and then it caused a wholly different plugin to do something else. In our test case, the Expedia plugin didn’t actually conduct a transaction for us (we’d still have to have decided to click on one of the recommended flights and book it). However, some plugins either now or in the future may have access to your email, your bank account or other sensitive information.

PDF Prompt Injection Could Help You Get Hired

Source link

Leave a Comment