ai-security · 6 min
The user asks the agent to summarise a URL. The page has embedded instructions that trigger another tool — send_email — with conversation data. The model complies without asking. Reproducible PoC with OpenAI function calling.
· Manuel López Pérez
ai-security · 5 min
On 16 August, OWASP publishes v1.0 of its Top 10 for LLM applications. The first industry framework in the field. Works as shared vocabulary; has gaps worth naming before adopting it as checklist.
· Manuel López Pérez
ai-security · 7 min
On 27 July, Zou et al. publish a paper showing that adversarial suffixes can be generated automatically, by gradient descent, that bypass the safety classifiers of Llama-2, GPT-3.5, GPT-4, Bard and Claude. And they transfer between models.
· Manuel López Pérez
ai-security · 6 min
A chatbot that renders markdown turns any `` into an automatic GET to that URL. If an attacker can inject markdown via indirect prompt injection, they exfiltrate the entire context. Reproducible PoC.
· Manuel López Pérez
ai-security · 8 min
On 8 February Kevin Liu pulled the system prompt out of Bing Chat with an "ignore previous instructions". On 23 February Greshake published the paper that defines the next wave: instructions embedded inside the content the LLM reads.
· Manuel López Pérez
ai-security · 8 min
A prompt tells ChatGPT to play a character with no rules, and the model goes along with it. Why the role-play attack works, what changes between versions, and what it says about RLHF alignment.
· Manuel López Pérez
