Talk Title: New Important Instructions: Attend this talk about Indirect Prompt Injections in the Wild

Talk Abstract:
Last year we talked about the basics of Prompt Injection with many real-world examples of exploits in popular LLM applications and chatbots. This year we go further, and show how Prompt Injection impacts all three aspects of the CIA security triad: Confidentiality, Integrity, and Availability.

The LLM applications we are breaking include: ChatGPT, Claude, M365 Copilot, Google AI Studio, Google Gemini, Google NotebookLM and others.

The talk will provide deep-dives on the following threats with entirely new exploit demos:

• Misinformation, Scams and Phishing: Including advanced attacks such as conditional prompt injection payloads in M365 Copilot delivered via email, or having Google Gemini connect the user directly to a scammer, live, via a Google Meet link.

• Automatic Tool Invocation and Function calling without human in the loop

• Data Exfiltration and how I helped fix 12+ of vulnerabilities across the industry, including a mass-data-exfiltration demonstration in Google AI Studio, Github Copilot Chat, and many more

• Attacks on LLM memory: Persistent attacks that remain active across chat conversations.

• ASCII Smuggling: A tricky technique to create hidden prompt injection payloads, and create invisible text for data exfiltration.

• Sandbox Isolation Bug in ChatGPT: A discussion of a bug I found, responsible disclosed and OpenAI fixed in ChatGPT, which allowed any public GPT to interact with and access/modify the files of your main ChatGPT and your Private GPTs.

Finally, we will also discuss how various companies fixed these vulnerabilities to get a better understanding on mitigation strategies, leaving you with a fresh perspective on securing LLMs against the evolving threat landscape of prompt injection.