top | item 46712315

(no title)

sarelta | 1 month ago

The attacker isn't the dev -- the attacker is a third party that poisoned the online data that is ingested by the AI tool.

- Dev builds secure AI app - App defends against indirect prompt injection in data from the internet - Dev reviews the flagged log - Log affected by the injection is rendered, and the attacker who wrote the injection in the web data exfiltrates the data from the AI app user

discuss

jcims|1 month ago

Agreed. The writeup could use a little Alice, Bob and Charlie treatment to make that more clear though.

The OSINT data seems to be the most likely source of the poisoned content. I guess you could bury that in a social media profile?