Indirect Prompt InjectionHigh

Indirect prompt injection defined (Not What You've Signed Up For)

February 2023  ·  Academic research (vs. Bing Chat and others)

What happened

The first systematic study showing that LLM-integrated applications can be remotely compromised by planting malicious instructions in content the model later retrieves, such as web pages, emails, and documents. It demonstrated data theft and manipulation against real systems.

Root cause

LLMs cannot reliably distinguish trusted developer or user instructions from instructions embedded in retrieved third-party data.

Fix / outcome

Research rather than a single vendor bug. It defined indirect prompt injection as a category and informed the OWASP LLM Top 10. Still an open problem.

Sources

arXiv 2302.12173

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database