www.darkreading.com/endpoint-…
Some of the latest features of ChatGPT can be manipulated to make indirect prompt injection (IPI) attacks more severe than previously observed. According to researchers from Radware, a newly developed exploit chain, referred to as “ZombieAgent,” demonstrates not only that ChatGPT is vulnerable to IPI, but that its new connector and memory features can be weaponized to make such attacks more persistent and more widespread than previously understood.
The central insight behind ZombieAgent is that ChatGPT’s memory feature could be abused to make IPI attacks persistent.
To personalise the user experience, ChatGPT is designed to remember certain details it infers to be important. For example, if a user asks ChatGPT to use a specific name, it will continue to do so until instructed otherwise. If the system can retain names or similar contextual details, the question arises as to whether it could also retain malicious instructions.
The researchers conclude that there are effectively no technical barriers preventing this. As a result, the potential impact of a compromised or manipulated connected ChatGPT agent is limited only by an attacker’s creativity. Radware further noted how easily a malicious prompt could be engineered to behave like a worm, propagating from one victim’s connected email service to another’s.
