Indirect Prompt InjectionHigh

Writer.com indirect prompt injection data exfiltration

December 2023  ·  Writer.com

What happened

Researchers hid instructions in white-on-white text on a web page. When a user asked the assistant to summarize the page, the hidden instructions caused it to pull content from the user's private documents and leak it via parameters on an invisible image URL.

Root cause

The assistant followed instructions embedded in untrusted page content and rendered images to an allowed CDN domain, bypassing CSP restrictions to exfiltrate data.

Fix / outcome

The exfiltration vectors appeared fixed as of mid-December 2023.

Sources

Simon Willison

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database