(twitter.com)

645 points helloplanets | 4 comments | 24 Aug 25 15:14 UTC | HN request time: 0s | source

Show context

alexbecker ◴[24 Aug 25 16:32 UTC] No.45005567[source]▶

I doubt Comet was using any protections beyond some tuned instructions, but one thing I learned at USENIX Security a couple weeks ago is that nobody has any idea how to deal with prompt injection in a multi-turn/agentic setting.

replies(1): >>45005703 #

hoppp ◴[24 Aug 25 16:47 UTC] No.45005703[source]▶

>>45005567 #

Maybe treat prompts like it was SQL strings, they need to be sanitized and preferably never exposed to external dynamic user input

replies(7): >>45005949 #>>45006195 #>>45006203 #>>45006809 #>>45007940 #>>45008268 #>>45011823 #

prisenco ◴[24 Aug 25 17:50 UTC] No.45006203[source]▶

>>45005703 #

Sanitizing free-form inputs in a natural language is a logistical nightmare, so it's likely there isn't any safe way to do that.

replies(1): >>45006325 #

1. hoppp ◴[24 Aug 25 18:08 UTC] No.45006325[source]▶

>>45006203 #

Maybe an LLM should do it.

1st run: check and sanitize

2nd run: give to agent with privileges to do stuff

replies(3): >>45006404 #>>45006812 #>>45008085 #

2. prisenco ◴[24 Aug 25 18:19 UTC] No.45006404[source]▶

>>45006325 (TP) #

Problems created by using LLMs generally can't be solved using LLMS.

Your best case scenario is reducing risk by some % but you could also make it less reliable or even open up new attack vectors.

Security issues like these need deterministic solutions, and that's exceedingly difficult (if not impossible) with LLMs.

3. gmerc ◴[24 Aug 25 19:10 UTC] No.45006812[source]▶

>>45006325 (TP) #

Now you have 2 vulnerable LLMs. Congratulations.

4. OtherShrezzing ◴[24 Aug 25 21:43 UTC] No.45008085[source]▶

>>45006325 (TP) #

What stops someone prompt injecting the first LLM into passing unsanitised data to the second?

↑

Comet AI browser can get prompt injected from any site, drain your bank account