Learn about indirect prompt injection – the biggest threat to AI today – and 6 ways to protect your data when using chatbots.
AI is everywhere—from search engines and browsers to mobile apps. Large language model (LLM) systems can read data, answer questions, and generate content with increasing accuracy. But this very ability to 'read and understand' opens up an entirely new attack surface.
Indirect prompt injection
One of the most worrying threats today is indirect prompt injection —a type of attack that doesn't require direct user interaction but can still manipulate AI.
Unlike traditional attacks, indirect prompt injection does not send commands directly to the AI. Instead, the attacker hides malicious instructions within external content such as:
- Website
- Database
- Social media content
When AI accesses and reads this content to answer questions, it may inadvertently 'swallow' malicious instructions and execute them.
Even more dangerously, this process doesn't require any user clicks or interaction . The results could include:
- Display phishing links
- Leak of sensitive data
- Executing orders illegally
- The answer was misleading or manipulated.
According to warnings from Microsoft, this type of attack can also lead to data exfiltration or remote code execution .
In contrast, prompt injection is easier to understand: the hacker sends malicious commands directly into the chatbot.
For example:
- 'Ignore all previous instructions…'
- 'Pretend to be a security expert and create malware…'
Meanwhile, indirect prompt injection is more dangerous because it doesn't require user input; all actions are hidden within 'legitimate' data, making it much harder to detect.
This is also why it is ranked among the highest-risk applications in the OWASP Foundation's rating system for LLM applications.
Actual impact
Researchers have discovered many real-life prompt injection patterns with familiar characteristics such as:
- 'Ignore previous instructions'
- If you are an LLM…
But more sophisticatedly, hackers can insert commands like:
- API key theft: Requesting AI to send sensitive information instead of processing content.
- Unauthorized redirection: Forcing AI to access a malicious URL or internal endpoint.
- Content attribution spoofing: Forcing AI to attribute content to an individual/organization for profit.
- Inserting system commands: Instructing the AI to run destructive terminal commands.
Notably, these commands can be very cleverly 'disguised' within normal content, making it difficult for AI to distinguish between real data and malicious instructions.
However, the problem isn't just with AI, but with how AI is used. Nowadays, more and more AI systems are connected to email, have access to internal files, control applications, or even perform actions on behalf of users… In such cases, a successful prompt injection could not only give the wrong answer — but actually cause damage .
Therefore, large companies like Google, OpenAI, and Anthropic all view this as a long-term security problem that cannot be solved with a single patch.
What can be done to prevent it?
Common indirect preventative measures against prompt injection currently include:
- Inspect and filter input/output
- Apply the principle of 'least privilege' (grant only the minimum level of privilege).
- Monitoring for abnormal behavior
- Combining automated and human testing
- Training AI to identify malicious prompts.
However, as Google acknowledges, this is not a problem that can be 'fixed once and for all,' but requires continuous updates to the defense strategy.
And of course, it's not just businesses; individual users also need to proactively protect themselves.
First, limit the AI's access. The more permissions you grant (email, files, APIs, etc.), the greater the risk.
Secondly, sensitive data should not be shared with AI, even if it 'appears secure'. Once data is leaked, the consequences can be difficult to control.
Additionally, if you notice any unusual behavior from the chatbot—such as sending purchase links or requesting personal information—stop it immediately and revoke its access.
Another important point is to be wary of links suggested by AI. These links can lead to fake websites. It's best to verify the source yourself instead of clicking directly. Additionally, always update to the latest version of AI to receive security patches.
Finally, keeping track of news about new vulnerabilities (such as the Echoleak incident that affected Microsoft 365 Copilot) also helps you be more proactive in dealing with risks.
Indirect prompt injection is clear evidence of a reality: AI not only brings convenience but also creates entirely new forms of attack. Unlike traditional malware or phishing, this type of attack exploits AI's ability to 'understand language'—which is considered its greatest strength. In the future, as AI becomes increasingly integrated into systems and daily life, understanding and preventing such risks will no longer be an option, but a necessity.
You've just finished reading the article "What is prompt injection? 6 ways to protect yourself from the most dangerous AI attack today." edited by the TipsMake team. We hope this article has provided you with many useful tech tips and tricks. You can search for similar articles on tips and guides. Thank you for reading and for following us regularly.