(twitter.com)

645 points helloplanets | 1 comments | 24 Aug 25 15:14 UTC | HN request time: 0s | source

Show context

alexbecker ◴[24 Aug 25 16:32 UTC] No.45005567[source]▶

I doubt Comet was using any protections beyond some tuned instructions, but one thing I learned at USENIX Security a couple weeks ago is that nobody has any idea how to deal with prompt injection in a multi-turn/agentic setting.

replies(1): >>45005703 #

hoppp ◴[24 Aug 25 16:47 UTC] No.45005703[source]▶

>>45005567 #

Maybe treat prompts like it was SQL strings, they need to be sanitized and preferably never exposed to external dynamic user input

replies(7): >>45005949 #>>45006195 #>>45006203 #>>45006809 #>>45007940 #>>45008268 #>>45011823 #

chasd00 ◴[24 Aug 25 22:13 UTC] No.45008268[source]▶

>>45005703 #

Can’t the connections and APIs that an LLM are given to answer queries be authenticated/authorized by the user entering the query? Then the LLM can’t do anything the asking user can’t do at least. Unless you have launch the icbm permissions yourself there’s no way to get the LLM to actually launch the icbm.

replies(2): >>45010841 #>>45021967 #

1. thebytefairy ◴[26 Aug 25 03:30 UTC] No.45021967[source]▶

>>45008268 #

I think it depends what kind of system and attack we're talking about. For corporate environments this approach absolutely makes sense. But say in a user's personal pc where the LLM can act as them, they have permission to do many things they shouldn't - send passwords to attackers, send money to attackers, rm -rf etc

↑

Comet AI browser can get prompt injected from any site, drain your bank account