Hi @simonw your tweets were motivation for me to write this blogpost. Same with this one: https://blog.roboflow.com/chatgpt-code-interpreter-computer-... when I dove deep into Code Interpreter. Most of my jailbreaking and prompt injection adventures are linked to you. Thanks a lot!
1) The image markdown data exfil was disclosed to OpenAI in April this year, but still no fix. It impacts all areas of ChatGPT (e.g. browsing, plugins, code interpreter - beta features) and now image analysis (a default feature). Other vendors have fixed this attack vector via stricter Content-Security-Policy (e.g Bing Chat) or not rendering image markdown.
2) Image based injection work across models, e.g. also applies to Bard and Bing Chat. There was a brief discussion on here in July about it (https://news.ycombinator.com/item?id=36718721) about a first demo.
wunderwuzzi23|2 years ago
Two things I wanted to add:
1) The image markdown data exfil was disclosed to OpenAI in April this year, but still no fix. It impacts all areas of ChatGPT (e.g. browsing, plugins, code interpreter - beta features) and now image analysis (a default feature). Other vendors have fixed this attack vector via stricter Content-Security-Policy (e.g Bing Chat) or not rendering image markdown.
2) Image based injection work across models, e.g. also applies to Bard and Bing Chat. There was a brief discussion on here in July about it (https://news.ycombinator.com/item?id=36718721) about a first demo.
simonw|2 years ago