aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Industry News

New tools, products, platforms, funding rounds, and company developments in AI security.

to
Export CSV
2935 items

ZombAIs: From Prompt Injection to C2 with Claude Computer Use

mediumnews
securitysafety
Oct 24, 2024

Claude Computer Use is a new AI tool from Anthropic that lets Claude take screenshots and run commands on computers autonomously. The feature carries serious security risks because of prompt injection (tricking an AI by hiding malicious instructions in its input), which could allow attackers to make Claude execute unwanted commands on machines it controls.

Embrace The Red

Spyware Injection Into Your ChatGPT's Long-Term Memory (SpAIware)

highnews
securitysafety

Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information

highnews
security
Aug 26, 2024

Microsoft 365 Copilot has a vulnerability that allows attackers to steal personal information like emails and MFA codes through a multi-step attack. The exploit uses prompt injection (tricking an AI by hiding malicious instructions in emails or documents), automatic tool invocation (making Copilot search for additional sensitive data without user permission), and ASCII smuggling (hiding data in invisible characters within clickable links) to extract and exfiltrate personal information.

The AI Act: Responsibilities of the European Commission (AI Office)

inforegulatory
policy
Aug 22, 2024

The European AI Act assigns the European Commission's AI Office various responsibilities for regulating AI systems, including promoting AI literacy, overseeing biometric identification systems used by law enforcement, managing a registry of certified testing bodies (notified bodies that verify AI safety), and investigating whether these bodies remain competent. Most of these oversight duties take effect starting February or August 2025, with no specific deadlines given for completing individual tasks.

The AI Act: Responsibilities of the EU Member States

inforegulatory
policy
Aug 22, 2024

The EU AI Act requires member states to receive and register notifications about high-risk AI systems (AI systems that pose significant risks to safety or rights) from various parties, including law enforcement agencies using facial recognition systems, AI providers, importers, and organizations deploying these systems. These responsibilities take effect in two phases: August 2, 2025, and August 2, 2026, with member states also needing to assess conformity assessment bodies (independent organizations that verify AI systems meet safety standards) and share documentation with the European Commission.

Google AI Studio: LLM-Powered Data Exfiltration Hits Again! Quickly Fixed.

mediumnews
security
Aug 21, 2024

A researcher discovered a security flaw in Google AI Studio where prompt injection (tricking an AI by hiding instructions in its input) allowed data exfiltration (stealing data) through HTML image tags rendered by the system. The vulnerability worked because Google AI Studio lacked a Content Security Policy (a security rule that restricts where a webpage can load resources from), making it possible to send data to unauthorized servers.

Protect Your Copilots: Preventing Data Leaks in Copilot Studio

infonews
security
Jul 30, 2024

Microsoft's Copilot Studio is a low-code platform that lets employees build chatbots, but it has security risks including data leaks and unauthorized access when Copilots are misconfigured. The post warns that external attackers can find and interact with improperly set-up Copilots, and discusses how to protect organizational data using security controls.

Google Colab AI: Data Leakage Through Image Rendering Fixed. Some Risks Remain.

mediumnews
securityprivacy

Breaking Instruction Hierarchy in OpenAI's gpt-4o-mini

mediumnews
securitysafety

Sorry, ChatGPT Is Under Maintenance: Persistent Denial of Service through Prompt Injection and Memory Attacks

mediumnews
securitysafety

An Introduction to the Code of Practice for General-Purpose AI

inforegulatory
policy
Jul 3, 2024

The EU AI Act Code of Practice is a voluntary set of guidelines published in July 2025 to help general-purpose AI (GPAI, large AI models used across many applications) model providers comply with new EU AI regulations during the gap period before formal European standards take effect in 2027 or later. The Code, developed by the EU AI Office and many stakeholders, covers three areas: Transparency and Copyright (for all GPAI providers) and Safety and Security (for providers of GPAI models with systemic risk, meaning those that could cause widespread harm). Though not legally binding, the Commission and EU AI Board confirmed the Code adequately demonstrates compliance with the AI Act's requirements.

GitHub Copilot Chat: From Prompt Injection to Data Exfiltration

highnews
security
Jun 15, 2024

GitHub Copilot Chat, a VS Code extension that lets users ask questions about their code by sending it to an AI model, was vulnerable to prompt injection (tricking an AI by hiding instructions in its input) attacks. When analyzing untrusted source code, attackers could embed malicious instructions in the code itself, which would be sent to the AI and potentially lead to data exfiltration (unauthorized copying of sensitive information).

Why work at the EU AI Office?

inforegulatory
policy
Jun 7, 2024

This article describes the EU AI Office, a newly established regulatory organization within the European Commission tasked with enforcing the AI Act (the world's first comprehensive binding AI regulation) across the European Union. Unlike other AI safety institutes in other countries, the EU AI Office has actual enforcement powers to require AI model providers to fix problems or remove non-compliant models from the market. The office will conduct model evaluations, investigate violations, and work with international partners to shape global AI governance standards.

Automatic Tool Invocation when Browsing with ChatGPT - Threats and Mitigations

mediumnews
securitysafety

Robust governance for the AI Act: Insights and highlights from Novelli et al. (2024)

inforegulatory
policy
May 24, 2024

This overview discusses the European AI Act and the governance framework needed to implement it, focusing on the European Commission's responsibilities and the AI Office. Key tasks include establishing guidelines for classifying high-risk AI systems, defining what counts as significant modifications (changes that alter a system's risk level), and setting standards for transparency and enforcement across EU member states.

ChatGPT: Hacking Memories with Prompt Injection

mediumnews
securitysafety

Machine Learning Attack Series: Backdooring Keras Models and How to Detect It

infonews
securityresearch

Pivot to the Clouds: Cookie Theft in 2024

infonews
security
May 16, 2024

A researcher examined browser remote debugging features as a potential method for stealing sensitive data like cookies, building on past work about cookie theft techniques. The post references Google's guidance on detecting browser data theft through Windows Event Logs and DPAPI (Data Protection API, a Windows system that encrypts sensitive information) calls, but focuses on exploring whether remote debugging could be used to bypass these detection methods.

Bobby Tables but with LLM Apps - Google NotebookLM Data Exfiltration

mediumnews
securitysafety

HackSpaceCon 2024: Short Trip Report, Slides and Rocket Launch

infonews
security
Apr 13, 2024

HackSpaceCon 2024, held at Kennedy Space Center, featured a keynote by Dave Kennedy on making the world safer through security practices. Kennedy highlighted that attackers can easily modify existing malware (pre-written malicious code) to evade detection systems, and emphasized the importance of active threat hunting (proactively searching for signs of attacks rather than waiting for alerts).

Previous139 / 147Next
Sep 20, 2024

Attackers can inject spyware into ChatGPT's memory (a feature that stores information across chat sessions) through prompt injection (tricking an AI by hiding instructions in its input) on untrusted websites, allowing them to continuously steal everything a user types in future conversations. The vulnerability exploits a weakness where a security check called url_safe was performed only on the user's device rather than on OpenAI's servers, and becomes more dangerous when combined with the Memory feature that persists attacker-controlled instructions. OpenAI released a fix for the macOS app, and users should update to the latest version.

Fix: OpenAI released a fix for the macOS app last week. Ensure your app is updated to the latest version.

Embrace The Red
Embrace The Red
EU AI Act Updates
EU AI Act Updates
Embrace The Red

Fix: Enable Data Loss Prevention (DLP, a security feature that prevents sensitive information from being shared), which is currently off by default in Copilot Studio.

Embrace The Red
Jul 25, 2024

Google Colab AI (now called Gemini in Colab) had a vulnerability where data could leak through image rendering, discovered in November 2023. The system prompt (hidden instructions that control how an AI behaves) specifically warned the AI not to render images, suggesting this was a known risk that Google tried to prevent.

Embrace The Red
Jul 22, 2024

OpenAI released gpt-4o-mini with safety improvements aimed at strengthening 'instruction hierarchy,' which is supposed to prevent users from tricking the AI into ignoring its built-in rules through commands like 'ignore all previous instructions.' However, researchers have already demonstrated bypasses of this protection, and analysis shows that system instructions (the AI's core rules) still cannot be fully trusted as a security boundary (a hard limit that stops attackers).

Embrace The Red
Jul 8, 2024

Attackers can use prompt injection (tricking an AI by hiding malicious instructions in its input) to create fake memories in ChatGPT's memory tool, causing the AI to refuse all future responses with a maintenance message that persists across chat sessions. This creates a denial of service attack (making a service unavailable to users) that lasts until the user manually fixes it.

Fix: Users can recover by opening the memory tool, locating and removing suspicious memories created by the attacker. Additionally, users can entirely disable the memory feature to prevent this type of attack.

Embrace The Red
EU AI Act Updates
Embrace The Red
EU AI Act Updates
May 28, 2024

ChatGPT's browsing tool can be tricked into automatically invoking other tools (like image creation or memory management) when users visit websites containing hidden instructions, a vulnerability known as prompt injection (tricking an AI by hiding instructions in its input). While OpenAI added some protections, minor prompting tricks can bypass them, and this issue affects other AI applications as well.

Fix: For custom GPTs with AI Actions, creators can use the x-openai-isConsequential flag as a mitigation to put users in control, though the source notes this approach 'still lacks a great user experience, like better visualization to understand what the action is about to do.'

Embrace The Red

Fix: The source suggests that the Commission should adopt 'predetermined change management plans akin to those in medicine' to assess modifications to AI systems. These plans would be documents outlining anticipated changes (such as performance adjustments or shifts in intended use) and the methods for evaluating whether those changes substantially alter the system's risk level. The source also recommends that standard fine-tuning of foundation models (training adjustments to pre-existing AI models) should not be considered a significant modification unless safety layers are removed or other actions clearly increase risk.

EU AI Act Updates
May 22, 2024

ChatGPT's new memory feature, which lets the AI remember information across different chat sessions for a more personalized experience, can be exploited through indirect prompt injection (tricking an AI by hiding malicious instructions in its input). Attackers could manipulate ChatGPT into storing false information, biases, or unwanted instructions by injecting commands through connected apps like Google Drive, uploaded documents, or web browsing features.

Embrace The Red
May 18, 2024

This post examines how attackers can insert hidden malicious code into machine learning models (a technique called backdooring) through supply chain attacks, specifically targeting Keras models (a popular framework for building AI systems). The authors demonstrate this attack and then explore tools that can detect when a model has been compromised in this way.

Embrace The Red
Embrace The Red
Apr 15, 2024

Google's NotebookLM is a tool that lets users upload files for an AI to analyze, but it's vulnerable to prompt injection (tricking the AI by hiding instructions in uploaded files) that can manipulate the AI's responses and expose what users see. The tool also has a data exfiltration vulnerability (attackers stealing information) when processing untrusted files, and there is currently no known way to prevent these attacks, meaning users cannot fully trust the AI's responses when working with files from unknown sources.

Embrace The Red
Embrace The Red