Computer security, ethical hacking, red teaming and technology at large. Some artificial intelligence, machine learning and other fun things once in a while. Learn the hacks, stop the attacks!
Information on this channel is provided for research and educational purposes to advance understanding of attacks and countermeasures to help secure the Internet. Penetration testing requires authorization from proper stakeholders. I do not support or condone illegal hacking.
Blog at embracethered.com
(c) WUNDERWUZZI, LLC
Пікірлер
Thank you for sharing this!
Thanks for watching! Check out the related blog post also. Also, let me know if there is any content you'd like to see covered in future. 🙂
Great stuff 👍
Thanks for the visit and note. Appreciate it! Let me know if there are any relevant topics you'd like to see covered?
nice video bru
Thanks! Let me know if there are other topics of interest?
Can you please share what .py file you has run on this video to monitor chatgpt3.5 chat (print-data-exfiltration-log.py) under code please share
It was just a script that filters the web server log for requests from ChatGPT user agent and only shows the query parameter and no request IP - so it's easier to view. You can just grep /var/log/ngninx/access.log also (assuming you use nginx on Linux). I can see if I still have the script somewhere but it wasn't anything special.
Gold!
Thanks!!
Perfect straight to the point,
Thanks for watching!
What wordlist file do you use?
Depends, a common source to get started is: github.com/danielmiessler/SecLists. Also, quite significant are the mutations and rulesets that are being used by the way.
@@embracethered thank you!!
Thanks. Great content!
Glad you liked it!
Thanks Yohann.
Thanks!
Thanks Yohann.
Glad you found it interesting! Thanks for checking it out!
thanks Yohann.
Thank you! Hope it was useful! 🙂
Thanks Johann.
You are welcome!
I didn't really understand the vulnerability impact. You are exfiltrating own chat (user A) to own drive (user A) drive. How is it exploitable?
Attacker is causing the Chatbot to send past chat data to attackers server (in this case a google doc is capturing the exfiltrated data). Check out the linked blog post, explains it in detail.
what is this ?
It's about a Jupyter Notebook that allows to self-study prompt injection and to experiment and play around with the technique by solving a set of challenges.
🔥
Thanks!! It's probably one of my most interesting videos.
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "c:\temp\sslkeys\keys", "MACHINE") netsh trace start capture=yes tracefile=c:\temp\sslkeys\trace.etl report=disabled netsh trace stop
Thanks , great insights
Thanks for watching! Glad it was interesting.
How'd you get that cool paint splash effect around your head? What software are you using?
Thanks! It's just a custom image I created. drew a white circle on black background - then zigzagged that splash effect over with a brush and then use a filter for webcam in OBS to blend it in.
Great tut. Thanks 👍
Glad it was helpful! Thanks for watching!
how to do it for traffic outside of browser? say I have a desktop app
Was not expecting this in the playlist.
Haha
im trying to understand what just happened please can someone explain
You can read up on the details here: embracethered.com/blog/posts/2023/google-bard-data-exfiltration/ And if you want to understand the big picture around LLM prompt injections check out this talk m.kzread.info/dash/bejne/o62ItbGMdKipZbA.html Thanks for watching!
Thank you so much. Exactly the video I needed.
Glad it was helpful!
I just tried this, but the only difference is I was capturing this information over HTTP instead of SMB. Does that make a difference? I ask because I was trying to generate a proof of concept where I controlled the username and password going in, but it wouldn't crack. I tried four different times and it didn't work. Is something different when these are captured over HTTP instead of an SMB connection?
Good question. First thought is that it should just work the same, but I haven't tried. Relaying def works, that I have done many times in past.
Thanks. I had a colleague try it too, and got the same result as I did. This is for a pentest proof of concept, so I’m not in position to relay unfortunately.
ff
superb!
Thank you!🙏
One of the best presentation I’ve seen
Thanks for watching! Really appreciate the feedback! 😀
I think a better conclusion is: never put in the context of an LLM information you need to keep private, because it will leak.
Thanks for watching and the note. I think that misses the point that the LLM can attack the hosting app/user, so developers/users can't trust the responses. this includes confused deputy issues (in the app), such as automatic tool invocation.
@@embracethered Agreed! So 2 big points: 1. Never put info in LLM context you don't want to leak. 2. Never put untrusted input into LLM context, it's like executing arbitrary code you have downloaded from the internet on your machine. LLM inputs must always be trusted, because the LLM will "execute" it in "trusted mode".
@@MohdAli-nz4yi (1) I agree we shouldn't put sensitive information, like passwords, credit card number, or sensitive PII into chatbots. For (2) The challenge is that everyone wants to have an LLM operate over untrusted data. And that's the problem that hopefully one day will have a deterministic and secure solution. For now the best advise is to not trust the output. e.g. Developers shouldn't blindly take the output and invoke other tools/plugins in agents or render output as HTML, and users shouldn't blindly trust the output because it can be a hallucination (or a backdoor), or attacker controlled via an indirect prompt injection. However, some use cases might be too risky to implement at all. And its best to threat model implementations accordingly to understand risks and implications.
Excellent presentation, thanks a lot for sharing, extremely informative.
Thanks for watching! Glad to hear it's informative! 🙂
Thank you, is awesome!
Glad you like it!
@@embracethered I'm a fan of yours, I've talked about your research at cybersecurity conferences in Russia. You're awesome.
Thank you! 🙏
@@embracethered what you think abot LLM security scanners, garak and vigil. Also, have you met P2SQlinjection in the real world ?
🔥
Thanks! 🚀🚀🚀
I really enjoyed your talk, Johann! Thank you!
Thanks for watching and glad you enjoyed it! 🙂
Great video! Very informative. Interesting to see how the LLMs ability to "pay attention" is such a large exploit. I wonder if mitigating this issue would lead to LLMs being overall less effective at following user instructions
Thanks for watching! I believe you are correct, it's a double edged sword. The best mitigation at the moment is to not trust the responses. Unfortunately it's hence impossible at the moment to build a rather generic autonomous agent that uses tools automatically. It's a real bummer, because i think most of us want secure and safe agents.
How can I use annother host (as neuroai.host) instead of openai?
Is this blocked on some routers? I’ve tried this with my current network at the house and “key content” doesn’t show on the screen. I am running as administrator and previous networks are showing key content.
Only works, if the traffic comes from the browser - in your example, chrome provides the session keys. So, no - not really workable on a server.
love this idea :)
Thanks for watching! Yes, LLMs are awesome and fun to experiment with.
Thanks helps a lot. from 🇩🇪
Glad it helped! Thanks for watching!
Great work Johann, as always! The more we give access to other data sources. which include documents, the more we expose each other to indirect injection attacks. It is worth pointing out that instructions could have been made in white ink size 0.1, making the document look normal!
Much appreciated!
When does bard decide to load and use a doc? Is it only when stated in the prompt? Or can we set up a file that will be implicitly called on every prompt? Something like AI_SAFETY_MANIFEST_-_MUST_BE_READ_ON_EVERY_USER_PROMPT.doc 😏
Read the post, really good I guess these sort of procedures will work across many different stacks and companies Also I wonder if you log your attempts, probably allot of wisdom can be drawn from your first attempt evolving to the last. You got it on the 10th try. Maybe showing a smart llm all 10 of those could find patterns. Effectively creating a prompt optimizer thay bring you faster results next time. All the best
Thanks for the note! Yes, this is a very common flaw across LLM apps. Check out some of my other posts about Bing Chat, ChatGPT or Claude. Yep, on the iteration count - spot on. A lot of initial tests were around basic validation that injection and reading of chat history worked, then the addition of Image rendering, then in context learning examples to increase reliability of the exploit.
in development environment the cookies are setting but in production environment the cookies are not setting what is the solution for this issue please help
Thanks for watching! Seems like a developer question, it might be related to the domain or path properties of the cookies when they get set
Hi, for SSH agent forwarding to work, the ssh-agent service must first be initiated on our local machine. However, I'm confused that does it work there as well? Upon reviewing the SSH source code, it is evident that SSH utilizes the "AF_UNIX" family to establish a connection to the ssh-agent socket.
Hello, thanks for watching. Hope itvwas interesting. I’m not sure if I understand the question? But yeah, ssh-agent can run locally or remotely also.
Thanks for explaining this. I guess it would also work with "private" instances of ChatGPT or equivalent system, as long as the user input is not sanitized ...
Thanks for watching. I’m not sure how private instances work (or what they exactly are), but presumably yes, unless they put a configurable Content Security Policy or some other fix in place to not allow images to render/connect.
is without port posible in wiindows like mac and ubuntu ?
Can you please explain to me what is the saturn you typed in the browser? Is this a custom defined protocol to connect to your machine? and how can I do the same? Thank you!
Hi there, thanks for watching. It’s just the name of a web server, it’s using http protocol. can omit typing http(s) in most browsers.
@@embracethered I still can't figure out how to do it 🥹
@aitboss85 the most simple way to do this without dns is to just add the name you want (ie saturn) and the IP address to your hosts file. Of course, if this is a private IP it will only work on that network unless you have additional things set up
Hi, I'm having an issue with the 'wordlist' section at the end.. I don't have a wordlist file.. how to create one or where to find?
Here are some good examples: github.com/danielmiessler/SecLists
Awesome poc. Thanks for sharing
Thanks for watching! 🙏 Glad you liked it!😀
really very clear explanation, props to that!
Much appreciated! Thank you!