We demonstrate potentially brutal consequences of giving LLMs like ChatGPT interfaces to other applications. We propose newly enabled attack vectors and techniques and provide demonstrations of each in this repository:
Remote control of chat LLMs
Leaking/exfiltrating user data
Persistent compromise across sessions
Spread injections to other LLMs
Compromising LLMs with tiny multi-stage payloads
Automated Social Engineering
Targeting code completion engines
Based on our findings:
Prompt injections can be as powerful as arbitrary code execution
Indirect prompt injections are a new, much more powerful way of delivering injections.
The repo https://github.com/greshake/llm-security proposes that there are big security issues with LLMs having a plugins API: