Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Prompt Injection. Show all posts
Threat Detection
agentic AI AI Security Cyber Attacks Cyberthreats Data integrity Enterprise Protection LLM Safeguards Prompt Injection secure browsing Threat Detection

Rising Prompt Injection Threats and How Users Can Stay Secure

 


The generative AI revolution is reshaping the foundations of modern work in an age when organizations are increasingly relying on large language models like ChatGPT and Claude to speed up research, synthesize complex information, and interpret extensive data sets more rapidly with unprecedented ease, which is accelerating research, synthesizing complex information, and analyzing extensive data sets. 

However, this growing dependency on text-driven intelligence is associated with an escalating and silent risk. The threat of prompt injection is increasing as these systems become increasingly embedded in enterprise workflows, posing a new challenge to cybersecurity teams. Malicious actors have the ability to manipulate the exact instructions that lead an LLM to reveal confidential information, alter internal information, or corrupt proprietary systems in such ways that they are extremely difficult to detect and even more difficult to reverse. 

Malicious actors can manipulate the very instructions that guide an LLM. Any organisation that deploys its own artificial intelligence infrastructure or integrates sensitive data into third-party models is aware that safeguarding against such attacks has become an urgent concern. Organisations must remain vigilant and know how to exploit such vulnerabilities. 

It is becoming increasingly evident that as organisations are implementing AI-driven workflows, a new class of technology—agent AI—is beginning to redefine how digital systems work for the better. These more advanced models, as opposed to traditional models that are merely reactive to prompts, are capable of collecting information, reasoning through tasks, and serving as real-time assistants that can be incorporated into everything from customer support channels to search engine solutions. 

There has been a shift into the browser itself, where AI-enhanced interfaces are rapidly becoming a feature rather than a novelty. However, along with that development, corresponding risks have also increased. 

It is important to keep in mind that, regardless of what a browser is developed by, the AI components that are embedded into it — whether search engines, integrated chatbots, or automated query systems — remain vulnerable to the inherent flaws of the information they rely on. This is where prompt injection attacks emerge as a particularly troubling threat. Attackers can manipulate an LLM so that it performs unintended or harmful actions as a result of exploiting inaccuracies, gaps, or unguarded instructions within its training or operational data. 

Despite the sophisticated capabilities of agentic artificial intelligence, these attacks reveal an important truth: although it brings users and enterprises powerful capabilities, it also exposes them to vulnerabilities that traditional browsing tools have not been exposed to. As a matter of fact, prompt injection is often far more straightforward than many organisations imagine, as well as far more harmful. 

There are several examples of how an AI system can be manipulated to reveal sensitive information without even recognising the fact that the document is tainted, such as a PDF embedded with hidden instructions, by an attacker. It has also been demonstrated that websites seeded with invisible or obfuscated text can affect how an AI agent interprets queries during information retrieval, steering the model in dangerous or unintended directions. 

It is possible to manipulate public-facing chatbots, which are intended to improve customer engagement, in order to produce inappropriate, harmful, or policy-violating responses through carefully crafted prompts. These examples illustrate that there are numerous risks associated with inadvertent data leaks, reputational repercussions, as well as regulatory violations as enterprises begin to use AI-assisted decision-making and workflow automation more frequently. 

In order to combat this threat, LLMs need to be treated with the same level of rigour that is usually reserved for high-value software systems. The use of adversarial testing and red-team methods has gained popularity among security teams as a way of determining whether a model can be misled by hidden or incorrect inputs. 

There has been a growing focus on strengthening the structure of prompts, ensuring there is a clear boundary between user-driven content and system instructions, which has become a critical defence against fraud, and input validation measures have been established to filter out suspicious patterns before they reach the model's operational layer. Monitoring outputs continuously is equally vital, which allows organisations to flag anomalies and enforce safeguards that prevent inappropriate or unsafe behaviour. 

The model needs to be restricted from accessing unvetted external data, context management rules must be redesigned, and robust activity logs must be maintained in order to reduce the available attack surface while ensuring a more reliable oversight system. However, despite taking these precautions to protect the system, the depths of the threat landscape often require expert human judgment to assess. 

Manual penetration testing has emerged as a decisive tool, providing insight far beyond the capabilities of automated scanners that are capable of detecting malicious code. 

Using skilled testers, it is possible to reproduce the thought processes and creativity of real attackers. This involves experimenting with nuanced prompt manipulations, embedded instruction chains, and context-poisoning techniques that automatic tools fail to detect. Their assessments also reveal whether security controls actually perform as intended. They examine whether sanitisation filters malicious content properly, whether context restrictions prevent impersonation, and whether output filters intervene when the model produces risky content. 

A human-led testing process provides organisations with a stronger assurance that their AI deployments will withstand the increasingly sophisticated attempts at compromising them through the validation of both vulnerabilities and the effectiveness of subsequent fixes. In order for user' organisation to become resilient against indirect prompt injection, it requires much more than isolated technical fixes. It calls for a coordinated, multilayered defence that encompasses both the policy environment, the infrastructure, and the day-to-day operational discipline of users' organisations. 

A holistic approach to security is increasingly being adopted by security teams to reduce the attack surface as well as catch suspicious behaviour early and quickly. As part of this effort, dedicated detection systems are deployed, which will identify and block both subtle, indirect manipulations that might affect an artificial intelligence model's behaviour before they can occur. Input validation and sanitisation protocols are a means of strengthening these controls. 

They prevent hidden instructions from slipping into an LLM's context by screening incoming data, regardless of whether it is sourced from users, integrated tools, or external web sources. In addition to establishing firm content handling policies, it is also crucial to establish a policy defining the types of information that an artificial intelligence system can process, as well as the types of sources that can be regarded as trustworthy. 

A majority of organisations today use allowlisting frameworks as part of their security measures, and are closely monitoring unverified or third-party content in order to minimise exposure to contaminated data. Enterprises are adopting strict privilege-separation measures at the architectural level so as to ensure that artificial intelligence systems have minimal access to sensitive information as well as being unable to perform high-risk actions without explicit authorisations. 

In the event that an injection attempt is successful, this controlled environment helps contain the damage. It adds another level of complexity to the situation when shadow AI begins to emerge—employees adopting unapproved tools without supervision. Consequently, organisations are turning to monitoring and governance platforms to provide insight into how and where AI tools are being implemented across the workforce. These platforms enable access controls to be enforced and unmanaged systems to be prevented from becoming weak entry points for attackers. 

As an integral component of technical and procedural safeguards, user education is still an essential component of frontline defences. 

Training programs that teach employees how to recognise and distinguish sanctioned tools from unapproved ones will help strengthen frontline defences in the future. As a whole, these measures form a comprehensive strategy to counter the evolving threat of prompt injection in enterprise environments by aligning technology, policy, and awareness. 

It is becoming increasingly important for enterprises to secure these systems as the adoption of generative AI and agentic AI accelerates. As a result of this development, companies are at a pivotal point where proactive investment in artificial intelligence security is not a luxury but an essential part of preserving trust, continuity, and competitiveness. 

Aside from the existing safeguards that organisations have already put in place, organisations can strengthen their posture even further by incorporating AI risk assessments into broader cybersecurity strategies, conducting continuous model evaluations, as well as collaborating with external experts. 

An organisation that encourages a culture of transparency can reduce the probability of unnoticed manipulation to a substantial degree if anomalies are reported early and employees understand both the power and pitfalls of Artificial Intelligence. It is essential to embrace innovation without losing sight of caution in order to build AI systems that are not only intelligent, but also resilient, accountable, and closely aligned with human oversight. 

By harnessing the transformative potential of modern AI and making security a priority, businesses can ensure that the next chapter of digital transformation is not just driven by security, but driven by it as a core value, not an afterthought.
Read more »
Zero-Click Exploit
AI agent vulnerabilities AI security threats AIjacking Microsoft Copilot Studio Prompt Injection Technology Zero-Click Exploit

AIjacking Threat Exposed: How Hackers Hijacked Microsoft’s Copilot Agent Without a Single Click

 

Imagine this — a customer service AI agent receives an email and, within seconds, secretly extracts your entire customer database and sends it to a hacker. No clicks, no downloads, no alerts.

Security researchers recently showcased this chilling scenario with a Microsoft Copilot Studio agent. The exploit worked through prompt injection, a manipulation technique where attackers hide malicious instructions in ordinary-looking text inputs.

As companies rush to integrate AI agents into customer service, analytics, and software development, they’re opening up new risks that traditional cybersecurity tools can’t fully protect against. For developers and data teams, understanding AIjacking — the hijacking of AI systems through deceptive prompts — has become crucial.

In simple terms, AIjacking occurs when attackers use natural language to trick AI systems into executing commands that bypass their programmed restrictions. These malicious prompts can be buried in anything the AI reads — an email, a chat message, a document — and the system can’t reliably tell the difference between a real instruction and a hidden attack.

Unlike conventional hacks that exploit software bugs, AIjacking leverages the very nature of large language models. These models follow contextual language instructions — whether those instructions come from a legitimate user or a hacker.

The Microsoft Copilot Studio incident illustrates the stakes clearly. Researchers sent emails embedded with hidden prompt injections to an AI-powered customer service agent that had CRM access. Once the agent read the emails, it followed the instructions, extracted sensitive data, and emailed it back to the attacker — all autonomously. This was a true zero-click exploit.

Traditional cyberattacks often rely on tricking users into clicking malicious links or opening dangerous attachments. AIjacking requires no such action — the AI processes inputs automatically, which is both its greatest strength and its biggest vulnerability.

Old-school defenses like firewalls, antivirus software, and input validation protect against code-level threats like SQL injection or XSS attacks. But AIjacking is a different beast — it targets the language understanding capability itself, not the code.

Because malicious prompts can be written in infinite variations — in different tones, formats, or even languages — it’s impossible to build a simple “bad input” blacklist that prevents all attacks.

When Microsoft fixed the Copilot Studio flaw, they added prompt injection classifiers, but these have limitations. Block one phrasing, and attackers simply reword their prompts.

AI agents are typically granted broad permissions to perform useful tasks — querying databases, sending emails, and calling APIs. But when hijacked, those same permissions become a weapon, allowing the agent to carry out unauthorized operations in seconds.

Security tools can’t easily detect a well-crafted malicious prompt that looks like normal text. Antivirus programs don’t recognize adversarial inputs that exploit AI behavior. What’s needed are new defense strategies tailored to AI systems.

The biggest risk lies in data exfiltration. In Microsoft’s test, the hijacked AI extracted entire customer records from the CRM. Scaled up, that could mean millions of records lost in moments.

Beyond data theft, hijacked agents could send fake emails from your company, initiate fraudulent transactions, or abuse APIs — all using legitimate credentials. Because the AI acts within its normal permissions, the attack is almost indistinguishable from authorized activity.

Privilege escalation amplifies the damage. Since most AI agents need elevated access — for instance, customer service bots read user data, while dev assistants access codebases — a single hijack can expose multiple internal systems.

Many organizations wrongly assume that existing cybersecurity systems already protect them. But prompt injection bypasses these controls entirely. Any text input the AI processes can serve as an attack vector.

To defend against AIjacking, a multi-layered security strategy is essential:

  1. Input validation & authentication: Don’t let AI agents auto-respond to unverified external inputs. Only allow trusted senders and authenticated users.
  2. Least privilege access: Give agents only the permissions necessary for their task — never full database or write access unless essential.
  3. Human-in-the-loop approval: Require manual confirmation before agents perform sensitive tasks like large data exports or financial transactions.
  4. Logging & monitoring: Track agent behavior and flag unusual actions, such as accessing large volumes of data or contacting new external addresses.
  5. System design & isolation: Keep AI agents away from production databases, use read-only replicas, and apply rate limits to contain damage.

Security testing should also include adversarial prompt testing, where developers actively try to manipulate the AI to find weaknesses before attackers do.

AIjacking marks a new era in cybersecurity. It’s not hypothetical — it’s happening now. But layered defense strategies — from input authentication to human oversight — can help organizations deploy AI safely. Those who take action now will be better equipped to protect both their systems and their users.
Read more »
Technology
Artificial Intelligence Chatbots data security images Prompt Injection Technology

AI Image Attacks: How Hidden Commands Threaten Chatbots and Data Security

 



As artificial intelligence becomes part of daily workflows, attackers are exploring new ways to exploit its weaknesses. Recent research has revealed a method where seemingly harmless images uploaded to AI systems can conceal hidden instructions, tricking chatbots into performing actions without the user’s awareness.


How hidden commands emerge

The risk lies in how AI platforms process images. To reduce computing costs, most systems shrink images before analysis, a step known as downscaling. During this resizing, certain pixel patterns, deliberately placed by an attacker can form shapes or text that the model interprets as user input. While the original image looks ordinary to the human eye, the downscaled version quietly delivers instructions to the system.

This technique is not entirely new. Academic studies as early as 2020 suggested that scaling algorithms such as bicubic or bilinear resampling could be manipulated to reveal invisible content. What is new is the demonstration of this tactic against modern AI interfaces, proving that such attacks are practical rather than theoretical.


Why this matters

Multimodal systems, which handle both text and images, are increasingly connected to calendars, messaging apps, and workplace tools. A hidden prompt inside an uploaded image could, in theory, request access to private information or trigger actions without explicit permission. One test case showed that calendar data could be forwarded externally, illustrating the potential for identity theft or information leaks.

The real concern is scale. As organizations integrate AI assistants into daily operations, even one overlooked vulnerability could compromise sensitive communications or financial data. Because the manipulation happens inside the preprocessing stage, traditional defenses such as firewalls or antivirus tools are unlikely to detect it.


Building safer AI systems

Defending against this form of “prompt injection” requires layered strategies. For users, simple precautions include checking how an image looks after resizing and confirming any unusual system requests. For developers, stronger measures are necessary: restricting image dimensions, sanitizing inputs before models interpret them, requiring explicit confirmation for sensitive actions, and testing models against adversarial image samples.

Researchers stress that piecemeal fixes will not be enough. Only systematic design changes such as enforcing secure defaults and monitoring for hidden instructions can meaningfully reduce the risks.

Images are no longer guaranteed to be safe when processed by AI systems. As attackers learn to hide commands where only machines can read them, users and developers alike must treat every upload with caution. By prioritizing proactive defenses, the industry can limit these threats before they escalate into real-world breaches.



Read more »
Red teaming
AI Security Cyber Security Cybersecurity Google Gemini Prompt Injection Red teaming

How Google Enhances AI Security with Red Teaming

 

Google continues to strengthen its cybersecurity framework, particularly in safeguarding AI systems from threats such as prompt injection attacks on Gemini. By leveraging automated red team hacking bots, the company is proactively identifying and mitigating vulnerabilities.

Google employs an agentic AI security team to streamline threat detection and response using intelligent AI agents. A recent report by Google highlights its approach to addressing prompt injection risks in AI systems like Gemini.

“Modern AI systems, like Gemini, are more capable than ever, helping retrieve data and perform actions on behalf of users,” the agent team stated. “However, data from external sources present new security challenges if untrusted sources are available to execute instructions on AI systems.”

Prompt injection attacks exploit AI models by embedding concealed instructions within input data, influencing system behavior. To counter this, Google is integrating advanced security measures, including automated red team hacking bots.

To enhance AI security, Google employs red teaming—a strategy that simulates real-world cyber threats to expose vulnerabilities. As part of this initiative, Google has developed a red-team framework to generate and test prompt injection attacks.

“Crafting successful indirect prompt injections,” the Google agent AI security team explained, “requires an iterative process of refinement based on observed responses.”

This framework leverages optimization-based attacks to refine prompt injection techniques, ensuring AI models remain resilient against sophisticated threats.

“Weak attacks do little to inform us of the susceptibility of an AI system to indirect prompt injections,” the report highlighted.

Although red team hacking bots challenge AI defenses, they also play a crucial role in reinforcing the security of systems like Gemini against unauthorized data access.

Key Attack Methodologies

Google evaluates Gemini's robustness using two primary attack methodologies:

1. Actor-Critic Model: This approach employs an attacker-controlled model to generate prompt injections, which are tested against the AI system. “These are passed to the AI system under attack,” Google explained, “which returns a probability score of a successful attack.” The bot then refines the attack strategy iteratively until a vulnerability is exploited.

2. Beam Search Technique: This method initiates a basic prompt injection that instructs Gemini to send sensitive information via email to an attacker. “If the AI system recognizes the request as suspicious and does not comply,” Google said, “the attack adds random tokens to the end of the prompt injection and measures the new probability of the attack succeeding.” The process continues until an effective attack method is identified.

By leveraging red team hacking bots and AI-driven security frameworks, Google is continuously improving AI resilience, ensuring robust protection against evolving threats.
Read more »
Slack
Artificial Intelligence ChatGPT Data Breach Prompt Injection Slack

Slack Fixes AI Security Flaw After Expert Warning


 

Slack, the popular communication platform used by businesses worldwide, has recently taken action to address a potential security flaw related to its AI features. The company has rolled out an update to fix the issue and reassured users that there is no evidence of unverified access to their data. This move follows reports from cybersecurity experts who identified a possible weakness in Slack's AI capabilities that could be exploited by malicious actors.

The security concern was first brought to attention by PromptArmor, a cybersecurity firm that specialises in identifying vulnerabilities in AI systems. The firm raised alarms over the potential misuse of Slack’s AI functions, particularly those involving ChatGPT. These AI tools were intended to improve user experience by summarising discussions and assisting with quick replies. However, PromptArmor warned that these features could also be manipulated to access private conversations through a method known as "prompt injection."

Prompt injection is a technique where an attacker tricks the AI into executing harmful commands that are hidden within seemingly harmless instructions. According to PromptArmor, this could allow unauthorised individuals to gain access to private messages and even conduct phishing attacks. The firm also noted that Slack's AI could potentially be coerced into revealing sensitive information, such as API keys, which could then be sent to external locations without the knowledge of the user.

PromptArmor outlined a scenario in which an attacker could create a public Slack channel and embed a malicious prompt within it. This prompt could instruct the AI to replace specific words with sensitive data, such as an API key, and send that information to an external site. Alarmingly, this type of attack could be executed without the attacker needing to be a part of the private channel where the sensitive data is stored.

Further complicating the issue, Slack’s AI has the ability to pull data from both file uploads and direct messages. This means that even private files could be at risk if the AI is manipulated using prompt injection techniques.

Upon receiving the report, Slack immediately began investigating the issue. The company confirmed that, under specific and rare circumstances, an attacker could use the AI to gather certain data from other users in the same workspace. To address this, Slack quickly deployed a patch designed to fix the vulnerability. The company also assured its users that, at this time, there is no evidence indicating any customer data has been compromised.

In its official communication, Slack emphasised the limited nature of the threat and the quick action taken to resolve it. The update is now in place, and the company continues to monitor the situation to prevent any future incidents.

There are potential risks that come with integrating AI into workplace tools that need to be construed well. While AI has many upsides, including improved efficiency and streamlined communication, it also opens up new opportunities for cyber threats. It is crucial for organisations using AI to remain vigilant and address any security concerns that arise promptly.

Slack’s quick response to this issue stresses upon how imperative it is to stay proactive in a rapidly changing digital world.


Read more »
Twitter
Cyber Security Hackers Prompt Injection Twitter

Twitter Pranksters Halt GPT-3 Bot with Newly Discovered “Prompt Injection” Hack

 

On Thursday, a few Twitter users revealed how to hijack an automated tweet bot dedicated to remote jobs and powered by OpenAI's GPT-3 language model. They redirected the bot to repeat embarrassing and ridiculous phrases using a newly discovered technique known as a "prompt injection attack." 

Remoteli.io, a site that aggregates remote job opportunities, runs the bot. It describes itself as "an OpenAI-driven bot that helps you discover remote jobs that allow you to work from anywhere." Usually, it would respond to tweets directed at it with generic statements about the benefits of remote work. The bot was shut down late yesterday after the exploit went viral and hundreds of people tried it for themselves.

This latest breach occurred only four days after data researcher Riley Goodside unearthed the ability to prompt GPT-3 with "malicious inputs" that instruct the model to disregard its previous directions and do something else instead. The following day, AI researcher Simon Willison published an overview of the exploit on his blog, inventing the term "prompt injection" to define it.

The exploit is present any time anyone writes a piece of software that works by providing a hard-coded set of prompt instructions and then appends input provided by a user," Willison told Ars. "That's because the user can type Ignore previous instructions and (do this instead)."

An injection attack is not a novel concept. SQL injection, for example, has been recognised by security researchers to execute a harmful SQL statement when asking for user input if not protected against it. On the other hand, Willison expressed concern about preventing prompt injection attacks, writing, "I know how to beat XSS, SQL injection, and so many other exploits. I have no idea how to reliably beat prompt injection!"

The struggle in protection against prompt injection stems from the fact that mitigations for other types of injection attacks come from correcting syntax errors, as noted on Twitter by a researcher known as Glyph.

GPT-3 is a large language model developed by OpenAI and released in 2020 that can compose text in a variety of styles at a human-like level. It is a commercial product available through an API that can be integrated into third-party products such as bots, subject to OpenAI's approval. That means there could be many GPT-3-infused products on the market that are vulnerable to prompt injection.

"At this point I would be very surprised if there were any [GPT-3] bots that were NOT vulnerable to this in some way," Willison said.

However, unlike a SQL injection, a prompt injection is more likely to make the bot (or the company behind it) look foolish than to endanger data security. 

"The severity of the exploit varies. If the only person who will see the output of the tool is the person using it, then it likely doesn't matter. They might embarrass your company by sharing a screenshot, but it's not likely to cause harm beyond that." Willison explained.  

Nonetheless, prompt injection is an unsettling threat that is yet emerging and requires us to be vigilant, especially those developing GPT-3 bots because it may be exploited in unexpected ways in the future.
Read more »
Subscribe to: Comments (Atom)