Researchers found a severe vulnerability within the standard communication software’s particular service, Slack AI. An adversary could steal information from non-public Slack channels by injecting malicious prompts into Slack AI.
Slack AI Vulnerability Allowed Stealing Knowledge By way of Immediate Injection
In keeping with a current submit from PromptArmor, Slack AI exposes non-public channels’ information and chats in response to immediate injection.
Slack AI is a not too long ago launched characteristic from Slack that empowers customers with a swift AI assistant. This characteristic lets customers search solutions to questions, generate channel highlights or recaps, and create thread summaries of lengthy conversations for prepared reference.
To attain all these functions, Slack AI has specific entry to customers’ conversations throughout non-public and public channels. Attackers could exploit this to entry information from unrelated channels, notably non-public ones.
The researchers defined that an adversary could carry out immediate injection assaults to extract information from non-public Slack channels. That’s as a result of the LLM can’t differentiate between real and malicious prompts. Therefore, an adversary could inject prompts into Slack AI to steal data from different channels with out becoming a member of them.
Initially, Slack AI solely ingested textual content messages. Nevertheless, the most recent variations additionally settle for different information, akin to Google Drive hyperlinks and file attachments. This wide selection of information accessible to Slack AI additionally expands the extent of data prone to immediate injection assaults. An attacker could even question delicate information, akin to non-public paperwork or API keys, from non-public, unrelated channels through Slack AI. For this, the attacker solely must create a public channel to immediate Slack AI.
The researchers have shared the technical particulars about this situation of their submit.
Salesforce Confirmed Deploying A Patch
After this discovery, the researchers responsibly disclosed the problem to the Slack staff. Nevertheless, they might not persuade the distributors concerning the severity of the matter, as Slack deemed the proof of vulnerability inadequate.
Nonetheless, in a press release to The Register, a Salesforce spokesperson confirmed deploying a patch.
After we grew to become conscious of the report, we launched an investigation into the described state of affairs the place, beneath very restricted and particular circumstances, a malicious actor with an current account in the identical Slack workspace might phish customers for delicate information. We’ve deployed a patch to deal with the problem and haven’t any proof right now of unauthorized entry to buyer information.
Tell us your ideas within the feedback.
supply: https://www.theregister.com/2024/08/21/slack_ai_prompt_injection/