You upload a PDF to an AI assistant to summarise it. The AI generates a helpful summary. You read the summary. You never notice that embedded in the response was an invisible markdown image tag pointing to an attacker-controlled server — and that URL contained your last five conversation messages, base64-encoded, silently transmitted when your browser fetched the "image." That's not a hypothetical. Johann Rehberger demonstrated it against real deployed AI systems in 2023 and 2024. The attack requires no…
No comments:
Post a Comment