Why this issue is particularly controversial right now
AI systems are increasingly being integrated into everyday processes: research, summaries, email drafts, document analysis, and support workflows. This is precisely what creates a new attack surface: it’s not just user input that matters, but also content from the web, documents, comments, or integrated tools. In this context, Tenable describes several attack vectors through which attackers can use hidden instructions to trick ChatGPT into performing unwanted actions, including data leakage from chats, connected services, or saved notes.
What is prompt injection, and what does "indirect" mean?
In prompt injection, attackers attempt to manipulate the instructions given to a language model in order to bypass security rules. Indirect prompt injection is particularly insidious: the malicious instruction is not contained within your query, but rather in external content that the model processes—such as a webpage, a comment, a file, or an embedded text block.
The 7 Ways Attackers Can Manipulate ChatGPT
In essence, the approaches described by Tenable can be summarized as follows in practical terms.
- Indirect prompt injection via seemingly trustworthy websites
Attackers hide instructions within legitimate content that are executed when the content is read or summarized. - Indirect Prompt Injection Without a Click in a Search Context
Even a single query can be enough if the model encounters tampered content during its search. - 1-Click Prompt Injection via Manipulated Links
A link can be constructed in such a way that a malicious prompt is immediately displayed when it is opened. - Bypassing security mechanisms via wrapper URLs
Redirects or wrapper links can obscure the actual destination and circumvent security checks. - Conversation Injection
Content from a search or tool context can be fed back into the conversation later and appear there as if it were genuine user input. - Hiding malicious content using formatting tricks
Malicious instructions can be hidden within code blocks or markup in such a way that humans can barely see them, but the model can. - Persistent Memory Injection
When memory features are used, attackers can place instructions in such a way that they remain active across multiple sessions until the memory or history is cleared.
What this means for businesses: The risk is not just theoretical
As soon as AI is used in conjunction with browser functionality, file uploads, knowledge bases, or connectors to email and Drive, a single piece of manipulated content can become a lever for exploitation. For this reason, OWASP identifies prompt injection as a key risk for LLM applications and explicitly recommends treating inputs from untrusted sources as potentially malicious and mitigating the impact through technical and organizational controls.
Preventive measures that take effect immediately
For individuals and teams who use ChatGPT
Keep the context strictly limited: Do not include passwords, API keys, internal customer lists, or confidential incidents in chats.
Manage memory carefully: Only enable memory when absolutely necessary, and check it regularly.
Treat links and sources with skepticism: Especially with redirects, wrapper links, and unusual parameters.
Minimize permissions: Only connect linked services when there is a clear purpose, and keep permissions to a minimum.
For organizations that use AI systems in production
Tool Isolation and Permission Design: Strictly separate connectors, browsing, and storage, and grant access based on the principle of least privilege.
Prompt Firewall Principle: Flag untrusted content; do not allow instructions from external sources to be interpreted as system or developer commands.
Prevent data leakage: DLP rules, secrets redaction, logging, and clear policies for sensitive content.
Security Testing: Red Teaming against prompt injection, including indirect paths via websites, PDFs, ticket systems, wikis, and code repositories.
Incident Response: When a data breach is suspected
If you suspect that AI workflows have been compromised, speed is of the essence: revoke connector tokens, terminate sessions, check storage and chat history, harden affected accounts, and back up logs. ITanic GmbH not only provides preventive support for the secure use of AI but also assists with incident response and forensic investigation if an incident has already occurred.
Conclusion
Prompt injection isn’t an abstract AI problem—it’s a security issue that affects your content, integrations, and permissions. Anyone using AI productively needs clear guidelines: minimal permissions, strict separation of contexts, testing for indirect attacks, and a robust incident response plan.