What is a prompt injection attack?

Prompt injection attacks are a novel and evolving cybersecurity threat targeting artificial intelligence (AI) systems, specifically those that rely on large language models (LLMs). These attacks exploit vulnerabilities in how AI models process and interpret user input, allowing attackers to manipulate the system’s behaviour, potentially leading to harmful consequences.

How Prompt Injection Works

At its core, a prompt injection attack involves manipulating the instructions (the “prompt”) given to an AI model. Attackers craft malicious input designed to override the model’s intended behaviour and cause it to perform actions it wasn’t designed to do.

This can be achieved in a few ways:

  1. Direct Injection: Attackers directly input a malicious prompt into the AI system, causing it to bypass its safety guidelines or reveal sensitive information.
  2. Indirect Injection: Attackers embed malicious prompts within other data sources that the AI model processes, such as web pages or user comments. The model inadvertently consumes the malicious prompt, leading to unintended actions.

Types of Prompt Injection Attacks

i. Data Poisoning:

Data poisoning is a stealthy and insidious attack that targets the very foundation of an AI model – its training data. In this attack, malicious actors inject carefully crafted, misleading, or biased data into the dataset used to train the model. Over time, this poisoned data subtly alters the model’s learned patterns and behavior, causing it to make incorrect predictions, classifications, or exhibit unintended biases.

  • Sentiment Analysis: An attacker could inject negative reviews into a product’s dataset to artificially lower its rating or spread misinformation about its quality.
  • Recommendation Systems: Malicious actors could inject false preferences into a user’s profile to manipulate the recommendations they receive, potentially exposing them to harmful content or products.
  • Autonomous Vehicles: Poisoned data could trick a self-driving car’s object recognition system into misidentifying a stop sign as a speed limit sign, leading to dangerous driving behaviour.

ii. Adversarial Examples:

Adversarial examples are meticulously crafted inputs designed to exploit vulnerabilities in an AI model’s decision-making process. These inputs often appear normal or innocuous to humans but are carefully tuned to trigger incorrect outputs from the model.

  • Image Classification: An attacker could slightly alter the pixels of an image of a panda so that the AI model incorrectly classifies it as a gibbon.
  • Spam Filters: A spam email might be modified with subtle changes in wording or formatting to bypass the spam filter and land in a user’s inbox.
  • Fraud Detection: A fraudulent transaction could be disguised with carefully chosen features to evade the fraud detection system.

iii. Jailbreaking:

Jailbreaking, also known as “prompt leaking,” involves manipulating an AI model to bypass its safety guidelines and constraints. Attackers use carefully crafted prompts that trick the model into believing the malicious instructions are harmless or within its acceptable boundaries.

  • Content Filters: An attacker might try to circumvent a chatbot’s content filter by rephrasing a prohibited question in a way that the model doesn’t recognize as harmful.
  • Ethical Guidelines: A malicious prompt could convince a language model to generate harmful or discriminatory content by framing it as a hypothetical scenario or a creative exercise.
  • Command Injection: An attacker might try to gain control of an AI system by injecting commands disguised as innocent requests, gradually escalating their access and privileges.


Prompt injection attacks can have a range of harmful consequences, including:

1. Data Leakage

Prompt injection can be a sophisticated and stealthy way to extract sensitive or confidential information from an AI system. Attackers can leverage a technique known as “prompt leaking,” where they gradually coax the model into revealing information it wasn’t designed to share. This might involve asking seemingly innocuous questions that incrementally probe the system’s knowledge boundaries, eventually leading to the disclosure of confidential data such as customer records, financial details, or proprietary information.

An attacker might engage a customer service chatbot with seemingly harmless questions about the company’s products. However, they subtly steer the conversation towards more specific inquiries about security measures, internal processes, or even employee information. Over time, the chatbot might inadvertently reveal details that the attacker can exploit for malicious purposes.

2. Misinformation

Prompt injection can be weaponized to spread misinformation and manipulate public perception. Attackers can craft prompts that instruct the AI to generate false or misleading content, such as fake news articles, fabricated product reviews, or manipulated social media posts. This misinformation can be incredibly damaging, as it can quickly go viral and influence public opinion, market sentiment, or even political discourse.

An attacker might prompt a news-generating AI to create an article claiming a major company is facing financial ruin. If this fake news is convincing enough, it could trigger a stock market sell-off or damage the company’s reputation.

3. Social Engineering

Prompt injection can be used in social engineering attacks, where attackers manipulate individuals into revealing confidential information or performing actions that benefit the attacker. By crafting seemingly trustworthy prompts, attackers can leverage the perceived authority of the AI system to deceive users.

An attacker might inject a prompt into a customer support chatbot that directs users to a fake website designed to steal their login credentials or credit card information. The unsuspecting user might trust the chatbot’s recommendation and unknowingly fall victim to the scam.

Mitigation and Prevention

i. Input Validation and Sanitization:

This method involves implementing strict filters and validation rules to scrutinize user input before it reaches the AI model. The validation can include checking for specific patterns, keywords, or code snippets known to be associated with malicious prompts. Sanitization processes may also be used to remove or neutralize potentially harmful elements within the input.


  • Whitelisting: Only allowing specific, pre-approved inputs.
  • Blacklisting: Blocking known malicious input patterns or keywords.
  • Regular Expression Filtering: Using regular expressions to detect and filter out potentially harmful input patterns.
  • Input Length Restrictions: Limiting the maximum length of user input to prevent overly complex prompts.

ii. Sandboxing and Containment:

Sandboxing is used to isolate AI models from sensitive systems and data. The AI model is run in a restricted environment (a “sandbox”) with limited access to resources. This prevents a compromised AI model from directly accessing or manipulating sensitive data or causing damage to critical systems.


  • Containerization: Running the AI model in a container (like Docker or Kubernetes) that provides an isolated runtime environment.
  • Virtual Machines: Running the AI model in a virtual machine separate from the host operating system.
  • Cloud-Based Sandboxing: Using cloud-based services that provide secure, isolated environments for executing AI models.

iii. Rate Limiting:

Rate limiting restricts the number of requests a user or IP address can make to the AI system within a specific period. This prevents attackers from flooding the system with malicious prompts, potentially overwhelming its resources or causing a denial-of-service (DoS) condition.

  • Token Bucket Algorithm: Allocates a fixed number of tokens to each user, which are consumed with each request and replenished over time.
  • Leaky Bucket Algorithm: Limits the rate at which requests are processed, discarding excess requests that exceed the predefined threshold.

iv. Regular Updates and Patch Management:

Keeping the AI model, its underlying software, and associated libraries up-to-date with the latest security patches is essential. Software vulnerabilities can be exploited by attackers to gain unauthorized access or inject malicious prompts. Regular updates ensure that these vulnerabilities are addressed promptly.

v. Adversarial Training:

This technique exposes the AI model to a wide range of potential attack scenarios during the training process. By training the model on both legitimate and malicious prompts, it learns to recognize and resist adversarial inputs, making it more robust against prompt injection attacks.

vi. Human-in-the-Loop (HITL):

HITL is the process of incorporating human oversight into critical AI interactions. Human experts can monitor the AI’s responses, detect potential attacks, and intervene if necessary. This can be particularly effective for high-risk applications where the consequences of an attack could be severe.

By understanding how these attacks work and implementing industry-standard security measures, you or organizations can protect your AI-powered applications and services from this emerging threat.