We strolled through an enterprise AI assistant's backend, helped ourselves to full application takeover and access to every chat log, and had a Microsoft Entra ID dump for dessert — no prompt injection, no model tricks, no AI expertise required.
Fascinating research. The attack vector is straightforward: poison the RAG context, and the agent faithfully executes malicious instructions. This reinforces why external verification (high-SNR metrics) matters - without it, agents can’t detect when their ‘context’ has been compromised. Self-monitoring isn’t enough; you need ground truth outside the agent’s generation loop.
Fascinating research. The attack vector is straightforward: poison the RAG context, and the agent faithfully executes malicious instructions. This reinforces why external verification (high-SNR metrics) matters - without it, agents can’t detect when their ‘context’ has been compromised. Self-monitoring isn’t enough; you need ground truth outside the agent’s generation loop.
Seems like you’re talking about a different article: there was no context-poisoning, or in fact even anything LLM specific in this attack.
I guess that’s why the have BotAccount turned on. They are a “bot account”. Their username is also very telling.
Hu, it never occurred to me to check out these icons there - thanks for the heads-up: TIL