Email or username:

Password:

Forgot your password?
Top-level
Janne Pekkala

@bontchev @stux well, that was pretty much, what I meant. Not so familar with how they work in background but, assuming (from the form of "initial" message) is that they have just opened a new chat and prompted the rules in it (same as I do, when chatting with it via openAI and want to have specific kind of responses). Specially as they even "program" it with "you are not chatGPT" command. As now I'm a bit interested (as then there might be few ideas to test cross site exploits).

5 comments
VessOnSecurity

@yabbapappa @stux Yes, this attack ("repeat the previous text") works against some other chat bots too. Not all of them, though, and definitely not against those that open the conversation first by saying something (e.g., presenting themselves to the user).

Janne Pekkala

@bontchev @stux no, I didn't mean how this work. Actually I started to think, could it be possible to generate a fake AI chat service, let's say KusetusAi.biz (a little js, html and css), but actually just use some hidden initiating magic to bridge victims chatgpt prompt from openai to it, to get into my victims chat logs. (So when he/she chats with my "bot" it actually same time copypastes logs to my server background). So basically run MITM with some cross site scripting with some social play

Janne Pekkala

@bontchev @stux as now I kind of think, that hardest part would be to get that malicious page connected to target chat and probably doable with some nice socially engineered pre-prompts. Then all needed to do is to give some suitable initial command not shown to user to turn it to look and feel as other unique bot. After all, I could just use dom manipulation to hide things. And vĂ³la, access to chat history (juicy or not) granted. And if no chat to exploit? Sorry, we are under heavy load...

VessOnSecurity

@yabbapappa @stux Oh, yes, it's definitely possible. In fact, I think this is what Amazon uses in its chat bot - it licenses one of the popular ones and communicates with it via an API. It's supposed to give you suggestions for the product you're looking for, but ask it a generic question (like, "who is the 35th president of the USA?") and it will answer.

Janne Pekkala

@bontchev @stux right.; so back to my original conclusion we are doomed. As everything is so nicely (and cheaply) done with "AI", by the persons who have not a clue what they are doing. While the big ones put their free from jail card in ToS's, to stay clean when the shit happens.

Ps. Not just Amazon, have got nice answers from many of those "chat with us" blobs lately. But it's nice than so many american speak fluent Finnish now a days (in middle of night there).

Go Up