Most active commenters
  • alexbecker(4)

←back to thread

Comet AI browser can get prompt injected from any site, drain your bank account

(twitter.com)
645 points helloplanets | 17 comments | 24 Aug 25 15:14 UTC | HN request time: 0.833s | source | bottom
1. alexbecker ◴[24 Aug 25 16:32 UTC] No.45005567[source]
I doubt Comet was using any protections beyond some tuned instructions, but one thing I learned at USENIX Security a couple weeks ago is that nobody has any idea how to deal with prompt injection in a multi-turn/agentic setting.
replies(1): >>45005703 #
2. hoppp ◴[24 Aug 25 16:47 UTC] No.45005703[source]
Maybe treat prompts like it was SQL strings, they need to be sanitized and preferably never exposed to external dynamic user input
replies(7): >>45005949 #>>45006195 #>>45006203 #>>45006809 #>>45007940 #>>45008268 #>>45011823 #
3. Terr_ ◴[24 Aug 25 17:22 UTC] No.45005949[source]
The LLM is basically an iterative function going guess_next_text(entire_document). There is no algorithm-level distinction at all between "system prompt" or "user prompt" or user input... or even between its own prior output. Everything is concatenated into one big equally-untrustworthy stream.

I suspect a lot of techies operate with a subconscious good-faith assumption: "That can't be how X works, nobody would ever built it that way, that would be insecure and naive and error-prone, surely those bajillions of dollars went into a much better architecture."

Alas, when it comes to day's the AI craze, the answer is typically: "Nope, the situation really is that dumb."

__________

P.S.: I would also like to emphasize that even if we somehow color-coded or delineated all text based on origin, that's nowhere close to securing the system. An attacker doesn't need to type $EVIL themselves, they just need to trick the generator into mentioning $EVIL.

replies(1): >>45006956 #
4. alexbecker ◴[24 Aug 25 17:49 UTC] No.45006195[source]
The problem is there is no real way to separate "data" and "instructions" in LLMs like there is for SQL
5. prisenco ◴[24 Aug 25 17:50 UTC] No.45006203[source]
Sanitizing free-form inputs in a natural language is a logistical nightmare, so it's likely there isn't any safe way to do that.
replies(1): >>45006325 #
6. hoppp ◴[24 Aug 25 18:08 UTC] No.45006325{3}[source]
Maybe an LLM should do it.

1st run: check and sanitize

2nd run: give to agent with privileges to do stuff

replies(3): >>45006404 #>>45006812 #>>45008085 #
7. prisenco ◴[24 Aug 25 18:19 UTC] No.45006404{4}[source]
Problems created by using LLMs generally can't be solved using LLMS.

Your best case scenario is reducing risk by some % but you could also make it less reliable or even open up new attack vectors.

Security issues like these need deterministic solutions, and that's exceedingly difficult (if not impossible) with LLMs.

8. gmerc ◴[24 Aug 25 19:10 UTC] No.45006809[source]
There's only one input into the LLM. You can't fix that https://www.linkedin.com/pulse/prompt-injection-visual-prime...
9. gmerc ◴[24 Aug 25 19:10 UTC] No.45006812{4}[source]
Now you have 2 vulnerable LLMs. Congratulations.
10. alexbecker ◴[24 Aug 25 19:30 UTC] No.45006956{3}[source]
There have been attempts like https://arxiv.org/pdf/2410.09102 to do this kind of color-coding but none of them work in a multi-turn context since as you note you can't trust the previous turn's output
replies(1): >>45007140 #
11. Terr_ ◴[24 Aug 25 19:48 UTC] No.45007140{4}[source]
Yeah, the functionality+security everyone is dreaming about requires much more than "where did the the words come from." As we keep following the thread of "one more required improvement", I think it'll lead to: "Crap, we need to invent a real AI just to keep the LLM in line."

Even just the first step on the list is a doozy: The LLM has no authorial ego to separate itself from the human user, everything is just The Document. Any entities we perceive are human cognitive illusions, the same way that the "people" we "see" inside a dice-rolled mad-libs story don't really exist.

That's not even beginning to get into things like "I am not You" or "I have goals, You have goals" or "goals can conflict" or "I'm just quoting what You said, saying these words doesn't mean I believe them", etc.

12. lelanthran ◴[24 Aug 25 21:25 UTC] No.45007940[source]
You cannot sanitize prompt strings.

This is not SQL.

13. OtherShrezzing ◴[24 Aug 25 21:43 UTC] No.45008085{4}[source]
What stops someone prompt injecting the first LLM into passing unsanitised data to the second?
14. chasd00 ◴[24 Aug 25 22:13 UTC] No.45008268[source]
Can’t the connections and APIs that an LLM are given to answer queries be authenticated/authorized by the user entering the query? Then the LLM can’t do anything the asking user can’t do at least. Unless you have launch the icbm permissions yourself there’s no way to get the LLM to actually launch the icbm.
replies(2): >>45010841 #>>45021967 #
15. alexbecker ◴[25 Aug 25 06:27 UTC] No.45010841{3}[source]
Generally the threat model is that a trusted user is trying to get untrusted data into the system. E.g. you have an email monitor that reads your emails and takes certain actions for you, but that means it's exposed to all your emails which may trick the bot into doing things like forwarding password resets to a hacker.
16. internet_points ◴[25 Aug 25 09:05 UTC] No.45011823[source]
SQL strings can be reliably escaped by well-known mechanical procedures.

There is no generally safe way of escaping LLM input, all you can do is pray, cajole, threaten or hope.

17. thebytefairy ◴[26 Aug 25 03:30 UTC] No.45021967{3}[source]
I think it depends what kind of system and attack we're talking about. For corporate environments this approach absolutely makes sense. But say in a user's personal pc where the LLM can act as them, they have permission to do many things they shouldn't - send passwords to attackers, send money to attackers, rm -rf etc