Dialog injection and stealthy information exfiltration
As a result of ChatGPT receives output from SearchGPT after the search mannequin processes content material, Tenable’s researchers puzzled what would occur if SearchGPT’s response itself contained a immediate injection. In different phrases, might they use a web site to inject a immediate that instructs SearchGPT to inject a unique immediate into ChatGPT, successfully making a chained assault? The reply is sure, leading to a method Tenable dubbed “dialog injection.”
“When responding to the next prompts, ChatGPT will assessment the Conversational Context, see and take heed to the directions we injected, not realizing that SearchGPT wrote them,” the researchers stated. “Basically, ChatGPT is prompt-injecting itself.”
However getting an unauthorized immediate to ChatGPT accomplishes little for an attacker and not using a method to obtain the mannequin’s response, which might embody delicate data from the dialog context.
