AI Domination: Remote Controlling ChatGPT ZombAIs🕹️🤖 Novel ChatGPT command and control POC. Using prompt injection + memory for initial foothold and continuous instruction updates, plus url_safe bypasses for data exfil. Based on content of my Black Hat Europe talk.

RT @janleike: Results of our jailbreaking challenge: After 5 days, >300,000 messages, and est. 3,700 collective hours our system got broke…

@karpathy This is possible via Unicode Tag code points, read and write hidden text (ASCII Smuggling). No need for tool use, it's quite amazing. Allow-listing tokens is an important mitigation when building LLM apps Claude and Grok are still vulnerable I believe

Solution to this puzzle from last November. There is one "invisible times" character between 22, so ChatGPT thinks its 2*2. 🙂 Yeah, Unicode is fun.

RT @arstechnica: New hack uses prompt injection to corrupt Gemini’s long-term memory

RT @hackplayers: Hacking Gemini's Memory with Prompt Injection and Delayed Tool Invocation

12 months ago I posted and predicted that this would be possible once Gemini has access to more powerful tools that "write" data -- the memory feature is now such a state changing tool. Back then there was only the Workspace Extension that was limited to read only operations back then.

Was just using Gemini to catch up on emails, and it randomly picked up the prompt injection test I had built for Apple Intelligence last year. 😂 Not only did it not pick the recent email, but it picked the one that contained the prompt injection over other options.

Seems to have been there for quite a while according to the article.

Download Link

RT @janleike: Super exciting robustness result: We built a system that defends against universal jailbreaks! It has minimal increase in r…

@valent1nee I used the "Contact Us" option the the UI and got directly connected and chatted with someone. So, you could try (but probably a bit busy now for direct comms) that and/or send mail.

AGI not possible, licensing issue.

Hope it will do better than Grok 2 security wise....

My initial thought was it's a scaling issue due to popularity, but status page mentions attacks. Wondering if they'll share details on what happened?