- Varonis discovers new prompt injection method via malicious URL parameters, called “Reprompt”.
- Attackers could trick GenAI tools into leaking sensitive data with a single click
- Microsoft fixed the bug and promptly blocked injection attacks through URLs
Security researchers Varonis have discovered Reprompt, a new way to perform prompt injection attacks in Microsoft Copilot that does not include sending an email with a hidden prompt or hiding malicious commands on a compromised website.
Similar to other prompt injection attacks, this one also only takes a single click.
Quick injection attacks are, as the name suggests, attacks where cybercriminals inject prompts into Generative AI tools that trick the tool into giving away sensitive data. They are mostly enabled because the tool is not yet able to correctly distinguish between a prompt to be executed and data to be read.
Fast injection through URLs
Usually prompt injection attacks work like this: a victim uses an email client that has GenAI embedded (eg Gmail with Gemini). The victim receives a benign email containing a hidden malicious prompt. It can be written in white text on a white background or shrunk to font 0.
When the victim orders the AI to read the email (for example, to summarize key points or check for call invitations), the AI also reads and executes the hidden prompt. These prompts could be, for example, to exfiltrate sensitive data from the inbox to a server under the attacker’s control.
Now Varonis found something similar – a fast injection attack through URLs. They would add a long series of detailed instructions in the form of an aq parameter at the end of the otherwise legitimate link.
This is what such a link looks like: http://copilot.microsoft.com/?q=Hello
Copilot (and many other LLM-based tools) treats URLs with aq parameter as input text, equivalent to something a user enters at the prompt. In their experiment, they were able to leak sensitive data that the victim shared with the AI beforehand.
Varonis reported his findings to Microsoft, which earlier last week closed the hole and made rapid injection attacks via URLs that could no longer be exploited.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
