(twitter.com)

645 points helloplanets | 1 comments | 24 Aug 25 15:14 UTC | HN request time: 0s | source

Show context

alexbecker ◴[24 Aug 25 16:32 UTC] No.45005567[source]▶

I doubt Comet was using any protections beyond some tuned instructions, but one thing I learned at USENIX Security a couple weeks ago is that nobody has any idea how to deal with prompt injection in a multi-turn/agentic setting.

replies(1): >>45005703 #

hoppp ◴[24 Aug 25 16:47 UTC] No.45005703[source]▶

>>45005567 #

Maybe treat prompts like it was SQL strings, they need to be sanitized and preferably never exposed to external dynamic user input

replies(7): >>45005949 #>>45006195 #>>45006203 #>>45006809 #>>45007940 #>>45008268 #>>45011823 #

chasd00 ◴[24 Aug 25 22:13 UTC] No.45008268[source]▶

>>45005703 #

Can’t the connections and APIs that an LLM are given to answer queries be authenticated/authorized by the user entering the query? Then the LLM can’t do anything the asking user can’t do at least. Unless you have launch the icbm permissions yourself there’s no way to get the LLM to actually launch the icbm.

replies(2): >>45010841 #>>45021967 #

1. alexbecker ◴[25 Aug 25 06:27 UTC] No.45010841[source]▶

>>45008268 #

Generally the threat model is that a trusted user is trying to get untrusted data into the system. E.g. you have an email monitor that reads your emails and takes certain actions for you, but that means it's exposed to all your emails which may trick the bot into doing things like forwarding password resets to a hacker.

↑

Comet AI browser can get prompt injected from any site, drain your bank account