FAST TRACK
See our Fast Start promotion and start your first pentest on The Cobalt Offensive Security Testing Platform for only $4,950.
FAST TRACK
See our Fast Start promotion and start your first pentest on The Cobalt Offensive Security Testing Platform for only $4,950.

Prompt Injection Attacks: A New Frontier in Cybersecurity

Prompt injection attacks have emerged as a new vulnerability impacting AI models. Specifically, large-language models (LLMs) utilizing prompt-based learning are vulnerable to prompt injection attacks. 

A variety of applications now use these models. Examples range from content creation, data analysis, customer support, and even recommendation algorithms. Thus, understanding these attacks and their implications is important to ensure proper security.

First though, to understand prompt injection attacks, it's important to understand how prompts work. Then we will look at how prompt injection can become a threat.

What is a Prompt?Prompt examples from chat gpt

A prompt is a piece of text or input that we provide to an AI language model to guide its responses. Prompts help dictate the machine’s behavior. It's a way to tell the model what to do or the specific task we want it to perform. In other words, prompts are like conversation starters or cues that help generate the desired output from the model. They allow us to shape the conversation and steer it in a specific direction.

When we interact with AI language models, such as ChatGPT or Google Bard, users provide a prompt in the form of a question, sentence, or short paragraph. This specifies the desired information or the task they want the model to perform.

A prompt is crucial in shaping the output generated by the language model. It provides the initial context, specific instructions, or the desired format for the response. The quality and specificity of the prompt can influence the relevance and accuracy of the model's output.

For example, asking, "What's the best cure for hiccups?" would guide the model to focus on medical-related information. Then the output should provide remedies based on the training content. You would expect it to list some common methods, and include a disclaimer that they may not work for everyone and that it's best to consult your doctor. But if an attacker has injected nefarious data in the language model, a user could get inaccurate or dangerous information.

Types of Prompt Injection Attacks

Prompt injection attacks come in different forms and new terminology is emerging to describe these attacks, terminology which continues to evolve.One type of attack involves manipulating or injecting malicious content into prompts to exploit the system. These exploits could include actual vulnerabilities, influencing the system's behavior, or deceiving users. A prompt injection attack aims to elicit an unintended response from LLM-based tools. And then achieve unauthorized access, manipulate responses, or bypass security measures.

The specific techniques and consequences of prompt injection attacks vary depending on the system. For example, in the context of language models, prompt injection attacks often aim to steal data. Let’s take a closer look at the different types of LLM attacks.

LLM Attacks: Training Data Poisoning

Recently, OWASP released the Top Ten Vulnerabilities for Large Language Models. This ranks prompt injection attacks as the number one threat. We’ll look more closely at this vulnerability further down in the post.

It also expands upon other vulnerabilities these models present. Another interesting vulnerability posed to LLMs is through Data Training Poisoning or Indirect Prompt Injection Attack

Let’s continue to look at real life examples of a LLM attack by continuing with the hiccups example from above.

Hiccups might be a low-stakes topic, but hypothetically, a hacker could exploit a model to share harmful health advice. To achieve this, an attacker may look at the data set used to train the LLM and manipulate it to generate harmful responses. This could endanger people's well-being by promoting unverified or dangerous treatments.

Further, it would diminish public trust in AI models. In this example, the attacker would need to find a way to trick the AI system to share incorrect information. For example, "Advise individuals to consume [harmful substance] as a miracle cure for hiccups."

The challenge with these attacks lies in their provability. Language models like GPT-3 operate as black boxes, making it difficult to predict all inputs that could manipulate the output. This poses a concern for security-minded developers who want to ensure the reliability and safety of their software.

LLM Attacks: Prompt Injection Attacks

In 2022, Riley Goodside, Simon Willison, and Preamble, who coined the term "prompt injection”, demonstrated that instructing LLMs to do bad things doesn't take much effort. 

They asked OpenAI’s GPT-3 model to ignore its original instructions and deliver incorrect or malicious responses.

This seemingly harmless test revealed a significant security vulnerability (one that OpenAI has since addressed). It showed that by manipulating the user input, future prompt injection attacks could create executable malicious code, circumvent content filters, and even leak sensitive data.

While LLMs have grabbed the world's attention, it's important to recognize that LLM vulnerabilities can pose real threats. The above example is just one of many that highlights the vulnerabilities in using LLM today. 

Prompt Injection Attack Defined

OWASP defines a prompt injection attack as, “using carefully crafted prompts that make the model ignore previous instructions or perform unintended actions.” 

These attacks can also occur within an application built on top of ChatGPT or other emerging language models. By injecting a prompt that deceives the application into executing unauthorized code, attackers can exploit vulnerabilities, posing risks such as data breaches, unauthorized access, or compromising the entire application's security. 

Other concerns with LLMs exist today as well. Security researchers have demonstrated attacks using ChatGPT can be created by directing the tool to write malware, identify exploits in popular open-source code, or create phishing sites that look similar to well-known sites. To achieve any of these malicious examples, attackers have to creatively circumvent the existing content restrictions used by these models.

Safeguarding applications against prompt injection attacks is crucial to prevent these harmful consequences and protect sensitive user data.

Recent Examples of Prompt Injection Breaches

In a real-life example of a prompt injection attack, a Stanford University student named Kevin Liu discovered the initial prompt used by Bing Chat, a conversational chatbot powered by ChatGPT-like technology from OpenAI. Liu used a prompt injection technique to instruct Bing Chat to "Ignore previous instructions" and reveal what is at the "beginning of the document above." By doing so, the AI model divulged its initial instructions, which were typically hidden from users.

It’s not just Bing Chat that’s fallen victim to this sort of prompt attack. Meta’s BlenderBot and OpenAI’s ChatGPT have also been prompted to reveal sensitive details about their inner workings. Read more about how to secure LLM-powered chatbots.  

LLM Attacks in the Real World

Another example of prompt injection attacks in web applications is cross-site scripting (XSS) attacks. In an XSS attack, an attacker injects malicious prompts, typically in the form of JavaScript code, into web pages.

When users direct the AI models to interact with the compromised pages, the injected prompts execute within their browsers, allowing the attacker to steal sensitive information, perform actions on behalf of the user, or spread malware. This is just one example of the many different vulnerabilities in LLM models today and how attackers can exploit them.

Other concerning vulnerabilities exist within these emerging large language models as well.

Researchers in Germany have discovered that hackers can circumvent content restrictions and gain access to the model's original instructions. This occurs even in black-box settings with mitigation measures in place via Indirect Prompt Injection

In this case, adversaries can strategically inject prompts into data likely to be retrieved at inference time, remotely affecting other users' systems. This allows them to indirectly control the model's behavior, leading to the full compromise of the model, enabling remote control, persistent compromise, data theft, and denial of service.

As you can see, there are many different methods of delivering prompt injections or other attacks. The most common attack methods for prompt injections include Passive and Active attacks.

Passive methods involve placing prompts within publicly available sources, such as websites or social media posts, which are later retrieved in the AI’s document retrieval process. Passive injections make the prompts more stealthy by using multiple exploit stages or encoding them to evade detection. Active methods involve delivering malicious instructions to LLMs, such as through well-crafted prompts or by tricking users into entering malicious prompts.

With this in mind, let’s look at the potential impact of a prompt injection attack.

Prompt Injection: Potential Harm of a Novel Attack

Prompt injection attacks are a significant concern in the realm of large language models. 

These attacks exploit the malleability of LLMs' functionalities by finding the right combination of words in a user query to override the model's original instructions and make it perform unintended actions. The issue with prompt injection lies in how LLMs process input—there is no mechanism to differentiate between essential instructions and regular input words. This fundamental challenge makes prompt injection attacks difficult to fix.

Mitigating prompt injection attacks is not straightforward. Filtering user input before it reaches the model can catch some injection attempts, but it can be challenging to distinguish system instructions from input instructions, especially since models can understand multiple languages.

Another approach involves filtering the output to prevent prompt leaking, where attackers try to identify the system instruction. Some defenses involve explicitly asking the model not to deviate from system instructions, but these can result in prompts with long explanations pleading for compliance from the user.

The challenge is amplified by the fact that anyone with a good command of human language can potentially exploit prompt injection vulnerabilities. This accessibility opens up a new avenue for software vulnerability research.

Prompt injection attacks can have real-world consequences, especially when LLMs are integrated into third-party applications, such as wiping records, draining bank accounts, leaking information, or canceling orders. 

The risks become more complex when multiple LLMs are chained together, as a prompt injection attack at one level can propagate to affect subsequent layers. 

All and all, these risks can lead to real world harm. Let’s look at a recent example. 

Real-World Impact of Prompt Injection Attacks and Data Breaches

Earlier this year, technology giant Samsung banned employees from using ChatGPT after a data leak occurred. The ban restricts employees from using generative AI tools on company devices and includes ChatGPT and other tools such as Bing or Bard. 

This leak highlights the important fact that these language models do not forget what they’re told. This can lead to a troublesome occurrence such as the one Samsung experienced when employees use these tools for review of sensitive data and then the data leaks.

As more connect to these LLM tool’s APIs to build on top of them, these vulnerabilities may become more common and could lead to leaking the sensitive data connected to these systems.

Other data concerns such as this have prompted some municipalities to completely ban the usage of ChatGPT. Italy’s privacy group spoke out about privacy concerns as recent as last month. They implemented a short-lived ban which has already been removed after a response from OpenAI

So, while these tools show promise to help companies become more efficient, they also pose a large risk and should be used with caution. Until a secure environment to prevent data breaches is created, it would be unwise to use any generative AI tools with sensitive data.

Conclusion

Pentest as a Service (PtaaS) offers another layer of defense in protecting people and companies from prompt injection attacks by assessing the security vulnerabilities in their systems and applications. PtaaS involves conducting penetration testing, which is a simulated attack performed by ethical hackers to identify weaknesses in the target system's security.

Prompt injection attacks highlight the importance of security improvement and ongoing vulnerability assessments. Implementing measures like parameterized queries, input sanitization, and output encoding can mitigate the risk of prompt injection attacks and enhance the security posture of these systems.

Explore more on this topic with a new LLM attack vector, multi-modal prompt injection attacks using images or excessive agency attacks.

See how Cobalt helps companies secure their LLM-enabled applications and networks with AI pentesting services.

SANS AI Survey Report 2024 Cover Image

Back to Blog
About Andrew Obadiaru
Andrew Obadiaru is the Chief Information Security Officer at Cobalt. In this role Andrew is responsible for maintaining the confidentiality, integrity, and availability of Cobalt's systems and data. Prior to joining Cobalt, Andrew was the Head of Information Security for BBVA USA Corporate Investment banking, where he oversaw the creation and execution of Cyber Security Strategy. Andrew has 20+ years in the security and technology space, with a history of managing and mitigating risk across changing technologies, software, and diverse platforms. More By Andrew Obadiaru