Description

Johann Rehberger explores a new and concerning discovery in the world of large language models (LLMs). An LLM prompt injection can occur via invisible instructions hidden within pasted text. This technique uses a special set of Unicode code points from the Tags Unicode Block to create hidden instructions that can cause an LLM, such as ChatGPT, to take specific actions. The proof-of-concept presented demonstrates how a simple text containing these invisible instructions invokes DALL-E to create an image. This technique has serious implications for cybersecurity, allowing adversaries to hide malicious instructions in regular text or even have the LLM create responses containing hidden text that is not visible to users. Additionally, this technique can be used beyond LLMs to smuggle data in plain sight and exploit the human element in security systems by leveraging humans to forward, copy, process, and approve actions from text containing hidden instructions.