- Varonis discovers a new method of prompt injection via malicious URL parameters, called “Reprompt”.
- Attackers could trick GenAI tools into disclosing sensitive data with a single click
- Microsoft fixed the flaw, blocking rapid injection attacks via URLs
Security researchers Varonis have discovered Repompt, a new way to perform prompt injection attacks in Microsoft Copilot that does not include sending an email with a hidden prompt or hiding malicious commands in a compromised website.
Similar to other quick injection attacks, this one also only takes a single click.
Rapid injection attacks are, as the name suggests, attacks in which cybercriminals inject prompts into generative AI tools, tricking the tool into disclosing sensitive data. They are mainly made possible because the tool is still unable to properly distinguish between a prompt to execute and the data to read.
Fast injection via URLs
Usually, rapid injection attacks work like this: a victim uses an email client that integrates GenAI (for example, Gmail with Gemini). This victim receives a seemingly harmless email containing a hidden malicious prompt. This can be written in white text on a white background or reduced to font 0.
When the victim instructs the AI to read the email (for example, to summarize key points or check call invitations), the AI also reads and executes the hidden prompt. These prompts may involve, for example, exfiltrating sensitive data from the inbox to a server under the attackers’ control.
Now Varonis has found something similar: a rapid injection attack via URLs. They would add a long series of detailed instructions, in the form of an aq parameter, at the end of the otherwise legitimate link.
This is what such a link looks like: http://copilot.microsoft.com/?q=Hello
Copilot (and many other LLM-based tools) treat URLs with the aq parameter as input text, similar to something a user types in the prompt. In their experiment, they were able to leak sensitive data that the victim had previously shared with the AI.
Varonis reported his findings to Microsoft, which earlier last week closed the hole and launched rapid injection attacks via URLs that are no longer exploitable.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
