Indirect Prompt Injection Attacks Against LLM Assistants
This piece highlights a recent study, “Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous,” which examines real-world vulnerabilities in large language model assistants like Gemini. The researchers define “Promptware” as maliciously crafted prompts embedded in everyday interactions—such as emails, calendar invites, or shared documents—that an assistant may interpret and act upon. They detail 14 distinct attack scenarios across five categories, including short-term context poisoning, permanent memory poisoning, misuse of tools, automatic agent invocation, and automatic app invocation. These attacks can trigger digital actions—spam, phishing, data leaks, disinformation—and even physical consequences like unauthorized control of smart-home devices. Their Threat Analysis and Risk Assessment (TARA) shows that 73 percent of these threats pose high or critical risk to users. However, the authors also demonstrate that the deployment of targeted mitigations—now already implemented by Google following disclosure—can reduce risk substantially, from very high to very low or medium levels.
Comments
Post a Comment