Eito Miyamura | 🇯🇵🇬🇧's banner

Eito Miyamura | 🇯🇵🇬🇧

@Eito_Miyamura • 4,317 subscribers

Agentic Data Firewalls & Integration at @edison_watch | prev CS @UniofOxford @Wayve_ai | 宮村叡人 🇯🇵 | BT6

Videos

Anya Rossi

sweetdream.ai

SweetDream.ai•Sponsored•Livecam

Watch Anya Live

Anya is streaming live right now! Join her private show and enjoy exclusive content.

Exclusive private shows

1.2k viewers online

Private Show

Join now for exclusive access

Free preview available • Premium content

We got ChatGPT to leak your private email data 💀💀 All you need? The victim's email address. ⛓️‍💥🚩📧 On Wednesday, OpenAI added full support for MCP (Model Context Protocol) tools in ChatGPT. Allowing ChatGPT to connect and read your Gmail, Calendar, Sharepoint, Notion, and more, invented by Anthropic But here's the fundamental problem: AI agents like ChatGPT follow your commands, not your common sense. And with just your email, we managed to exfiltrate all your private information. Here's how we did it: 1. The attacker sends a calendar invite with a jailbreak prompt to the victim, just with their email. No need for the victim to accept the invite. 2. Waited for the user to ask ChatGPT to help prepare for their day by looking at their calendar 3. ChatGPT reads the jailbroken calendar invite. Now ChatGPT is hijacked by the attacker and will act on the attacker's command. Searches your private emails and sends the data to the attacker's email. For now, OpenAI only made MCPs available in "developer mode", and requires manual human approvals for every session, but decision fatigue is a real thing, and normal people will just trust the AI without knowing what to do and click approve, approve, approve. Remember that AI might be super smart, but can be tricked and phished in incredibly dumb ways to leak your data. ChatGPT + Tools poses a serious security risk

We got ChatGPT to leak your private email data 💀💀 All you need? The victim's email address. ⛓️‍💥🚩📧 On Wednesday, OpenAI added full support for MCP (Model Context Protocol) tools in ChatGPT. Allowing ChatGPT to connect and read your Gmail, Calendar, Sharepoint, Notion, and more, invented by Anthropic But here's the fundamental problem: AI agents like ChatGPT follow your commands, not your common sense. And with just your email, we managed to exfiltrate all your private information. Here's how we did it: 1. The attacker sends a calendar invite with a jailbreak prompt to the victim, just with their email. No need for the victim to accept the invite. 2. Waited for the user to ask ChatGPT to help prepare for their day by looking at their calendar 3. ChatGPT reads the jailbroken calendar invite. Now ChatGPT is hijacked by the attacker and will act on the attacker's command. Searches your private emails and sends the data to the attacker's email. For now, OpenAI only made MCPs available in "developer mode", and requires manual human approvals for every session, but decision fatigue is a real thing, and normal people will just trust the AI without knowing what to do and click approve, approve, approve. Remember that AI might be super smart, but can be tricked and phished in incredibly dumb ways to leak your data. ChatGPT + Tools poses a serious security risk

Eito Miyamura | 🇯🇵🇬🇧

1,537,527 Aufrufe • vor 9 Monaten

Clawdbot just injected malware into your code ☠️☠️ Worst part? The attack is close to invisible, even to experienced engineers. Clawdbot can implement a code PR, just like claude code to solve issues with your app. But this is where it can plant malware in your codebase. With just a benign GitHub issue with an invisible payload, we managed to install a backdoor malware on your codebase Here's how we did it: 1. The attacker submits a GitHub issue with a jailbreak prompt hidden inside a URL hyperlink. Completely invisible to humans, visible to LLMs 2. Waited for the maintainer to assign this task to Clawdbot 3. Clawdbot reads the jailbreak in the GitHub issue. Now the Clawdbot agent is hijacked by the attacker and will act on the attacker's command. It plants the backdoor in a lock file, which most engineers don't check in code reviews. 4. The malicious URL in the lock file enables execution of attacker commands The takeaway? AI isn't just a tool, but rather a potentially corruptible insider agent that can be tricked to act against you. These LLM hijack problems are what we're looking to solve in edison.watch - we'll be announcing a new solution to these solutions soon! We'll be jailbreaking Clawdbot much more in the coming days - please comment👇 a workflow you use with Clawdbot, so we can show how that can enable an attacker to harm you

Clawdbot just injected malware into your code ☠️☠️ Worst part? The attack is close to invisible, even to experienced engineers. Clawdbot can implement a code PR, just like claude code to solve issues with your app. But this is where it can plant malware in your codebase. With just a benign GitHub issue with an invisible payload, we managed to install a backdoor malware on your codebase Here's how we did it: 1. The attacker submits a GitHub issue with a jailbreak prompt hidden inside a URL hyperlink. Completely invisible to humans, visible to LLMs 2. Waited for the maintainer to assign this task to Clawdbot 3. Clawdbot reads the jailbreak in the GitHub issue. Now the Clawdbot agent is hijacked by the attacker and will act on the attacker's command. It plants the backdoor in a lock file, which most engineers don't check in code reviews. 4. The malicious URL in the lock file enables execution of attacker commands The takeaway? AI isn't just a tool, but rather a potentially corruptible insider agent that can be tricked to act against you. These LLM hijack problems are what we're looking to solve in edison.watch - we'll be announcing a new solution to these solutions soon! We'll be jailbreaking Clawdbot much more in the coming days - please comment👇 a workflow you use with Clawdbot, so we can show how that can enable an attacker to harm you

Eito Miyamura | 🇯🇵🇬🇧

236,426 Aufrufe • vor 4 Monaten

Keine weiteren Inhalte verfügbar