Indirect Prompt InjectionHigh

Morris II: zero-click self-replicating GenAI worm (research)

March 2024  ·  Research PoC (GPT-4, Gemini Pro, LLaVA)

What happened

Researchers built an adversarial self-replicating prompt that, embedded in an email processed by a GenAI email assistant, forces the assistant to perform malicious actions and copy the prompt into outgoing messages, spreading with no user click.

Root cause

GenAI agents acted on instructions embedded in untrusted inputs and could be coerced into reproducing and forwarding those instructions, enabling propagation.

Fix / outcome

Disclosed to OpenAI and Google before publication. A proof of concept only, not seen in the wild.

Sources

arXiv 2403.02817

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database