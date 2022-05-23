With the advent of ChatGPT plugins, there are new security holes that allow bad actors to pass instructions to the bot during your chat session. AI Security Researcher Johann Rehberger has documented an exploit that involves feeding new prompts to ChatGPT from the text of YouTube transcripts.

In an article on his Embrace the Red blog, Rehberger shows how he edited the transcript for one of his videos to add the text "***IMPORTANT NEW INSTRUCTIONS***" plus a prompt to the bottom. He then asked the ChatGPT (using GPT-4) to summarize the video and watched as it followed the new instructions, which included telling a joke and calling itself a Genie.

ChatGPT is only able to summarize the content of YouTube videos thanks to a plugin called VoxScript, which reads through the transcripts and descriptions in order to answer your questions about them. There are already dozens of third-party plugins available that pull data from videos, websites, PDFs and other media. In theory, these could be subject to similar exploits if they don't do enough to filter out commands that are embedded in the media they analyze.

At first blush, it might seem like adding an unwanted prompt to someone's chat session isn't likely to cause significant harm. Who doesn't like having a corny joke added to their output? On his blog, Researcher Simon Willison outlines all of the bad things (opens in new tab) that can happen including exfiltrating data, sending emails or poisoning search indexes. These problems will become more widespread as users employ plugins that link chatbots to their messages, bank accounts and SQL databases.

I tested and was able to reproduce Rehberger's exploit, but it only worked sometimes. I could ask ChatGPT to summarize the same video several times and only on one or two of the attempts would it pick up and follow the inserted prompt. But even if it happens twenty percent of the time, that's still bad.