ChatGPT prompt injection turns web pages into phishing lures

https://image.theregister.com/5248172.jpg?imageId=5248172&x=0&y=0&cropw=100&croph=100&panox=0&panoy=0&panow=100&panoh=100&width=1200&height=683

EXCLUSIVE ChatGPT can’t tell its own generated content from attacker-controlled Markdown pulled from external sources, according to a researcher who found the prompt injection technique and reported it to OpenAI. This means that if a user asks the chatbot to summarize a web page that contains hidden instructions, the page can become the payload.

An attacker could abuse this blind trust to inject phishing URLs into ChatGPT responses, or even trick the model into showing fake security alerts written in ChatGPT's own style, Permiso threat hunter Andi Ahmeti told The Register.

In a reportshared with us ahead of publication, Ahmeti also demonstrated how criminals could exploit this trust issue to pivot their attack from a victim’s browser to their mobile device by displaying an inline QR code. The victim scans the QR code with their phone and is taken to content hosted in an attacker-controlled S3 bucket, and this...

Copyright of this story solely belongs to theregister.com. To see the full text click HERE

Read more