Popular AI tools vulnerable to botnet assembly through prompt injection
Nine popular AI tools can be exploited to assemble massive botnets using prompt injection attacks.

In the brief history of AI security, the prompt injection has quickly become the top threat. Large language models are inherently unable to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code, and other third-party content the models are processing. This makes it trivial to surreptitiously inject malicious commands that the LLM readily follows.
With no way to enforce this crucial boundary between trusted and untrusted sources, AI engine developers are left to erect elaborate guardrails designed to mitigate the damage rather than solve the root cause. To date, most prompt injections have fallen into a class known as push, in which each potential victim is targeted. For example, the adversary injects malicious instructions into an individual email or calendar invitation.
Because the injection must then be sent (or pushed) to each specific target, the scale of the attack is limited, hampering mass exploits that hit the Internet at large. Researchers have found that nine of the most popular AI tools can be used to assemble massive botnets. Why this matters: The vulnerability of popular AI tools to prompt injection attacks has significant implications for the broader industry.
As AI models become increasingly ubiquitous, the potential for large-scale exploits grows. Developers and businesses must prioritize the development of more robust security measures to prevent such attacks. This may involve implementing more stringent input validation, improving model interpretability, or exploring alternative approaches to mitigate the risks.
Consumers, too, must be aware of the potential risks and take steps to protect themselves, such as being cautious with email and other online interactions. Ultimately, the industry must come together to address this critical vulnerability and ensure the safe and secure deployment of AI models.
Source: Ars Technica