{"id":"https://openalex.org/W4388886073","doi":"https://doi.org/10.1145/3605764.3623985","title":"Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection","display_name":"Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection","publication_year":2023,"publication_date":"2023-11-21","ids":{"openalex":"https://openalex.org/W4388886073","doi":"https://doi.org/10.1145/3605764.3623985"},"language":"en","primary_location":{"id":"doi:10.1145/3605764.3623985","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3605764.3623985","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5084917133","display_name":"Kai Greshake","orcid":"https://orcid.org/0009-0005-0460-5327"},"institutions":[{"id":"https://openalex.org/I91712215","display_name":"Saarland University","ror":"https://ror.org/01jdpyv68","country_code":"DE","type":"education","lineage":["https://openalex.org/I91712215"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Kai Greshake","raw_affiliation_strings":["Saarland University, Saarbr\u00fccken, Germany"],"raw_orcid":"https://orcid.org/0009-0005-0460-5327","affiliations":[{"raw_affiliation_string":"Saarland University, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I91712215"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040674721","display_name":"Sahar Abdelnabi","orcid":"https://orcid.org/0009-0000-5269-951X"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Sahar Abdelnabi","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"raw_orcid":"https://orcid.org/0009-0000-5269-951X","affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5091229444","display_name":"Shailesh Mishra","orcid":"https://orcid.org/0009-0003-7330-1912"},"institutions":[{"id":"https://openalex.org/I91712215","display_name":"Saarland University","ror":"https://ror.org/01jdpyv68","country_code":"DE","type":"education","lineage":["https://openalex.org/I91712215"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Shailesh Mishra","raw_affiliation_strings":["Saarland University, Saarbr\u00fccken, Germany"],"raw_orcid":"https://orcid.org/0009-0003-7330-1912","affiliations":[{"raw_affiliation_string":"Saarland University, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I91712215"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5004607650","display_name":"Christoph Endres","orcid":"https://orcid.org/0009-0005-7653-4417"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Christoph Endres","raw_affiliation_strings":["sequire technology GmbH, Saarbr\u00fccken, Germany"],"raw_orcid":"https://orcid.org/0009-0005-7653-4417","affiliations":[{"raw_affiliation_string":"sequire technology GmbH, Saarbr\u00fccken, Germany","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5056790702","display_name":"Thorsten Holz","orcid":"https://orcid.org/0000-0002-2783-1264"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Thorsten Holz","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"raw_orcid":"https://orcid.org/0000-0002-2783-1264","affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5003887059","display_name":"Mario Fritz","orcid":"https://orcid.org/0000-0001-8949-9896"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Mario Fritz","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"raw_orcid":"https://orcid.org/0000-0001-8949-9896","affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5084917133"],"corresponding_institution_ids":["https://openalex.org/I91712215"],"apc_list":null,"apc_paid":null,"fwci":50.6699,"has_fulltext":false,"cited_by_count":299,"citation_normalized_percentile":{"value":0.99911392,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":99,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"79","last_page":"90"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.9962999820709229,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.9962999820709229,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9793000221252441,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9753000140190125,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7715936899185181},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.6624228954315186},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6585528254508972},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.5823752880096436},{"id":"https://openalex.org/keywords/interface","display_name":"Interface (matter)","score":0.5271562933921814},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.2328501045703888},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.09737524390220642}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7715936899185181},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.6624228954315186},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6585528254508972},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.5823752880096436},{"id":"https://openalex.org/C113843644","wikidata":"https://www.wikidata.org/wiki/Q901882","display_name":"Interface (matter)","level":4,"score":0.5271562933921814},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.2328501045703888},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.09737524390220642},{"id":"https://openalex.org/C129307140","wikidata":"https://www.wikidata.org/wiki/Q6795880","display_name":"Maximum bubble pressure method","level":3,"score":0.0},{"id":"https://openalex.org/C157915830","wikidata":"https://www.wikidata.org/wiki/Q2928001","display_name":"Bubble","level":2,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3605764.3623985","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3605764.3623985","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":10,"referenced_works":["https://openalex.org/W3110924547","https://openalex.org/W3133702157","https://openalex.org/W3176393001","https://openalex.org/W3176477796","https://openalex.org/W3212275118","https://openalex.org/W4296564631","https://openalex.org/W4362673335","https://openalex.org/W4378977274","https://openalex.org/W4385567134","https://openalex.org/W4385571158"],"related_works":["https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W3207760230","https://openalex.org/W1496222301","https://openalex.org/W3048799479","https://openalex.org/W2779961139","https://openalex.org/W3006507989","https://openalex.org/W4240241597","https://openalex.org/W4240288358","https://openalex.org/W2763500028"],"abstract_inverted_index":{"Large":[0],"Language":[1],"Models":[2],"(LLMs)":[3],"are":[4,167,181],"increasingly":[5],"being":[6],"integrated":[7],"into":[8,83],"applications,":[9],"with":[10],"versatile":[11],"functionalities":[12],"that":[13,27,46,66,208],"can":[14,150],"be":[15,87],"easily":[16],"modulated":[17],"via":[18],"natural":[19],"language":[20],"prompts.":[21],"So":[22],"far,":[23],"it":[24,38],"was":[25],"assumed":[26],"the":[28,33,41,50,123,157,170,193,203],"user":[29,42],"is":[30,39],"directly":[31],"prompting":[32],"LLM.":[34],"But,":[35],"what":[36],"if":[37,164],"not":[40],"prompting?":[43],"We":[44,92,120,144],"show":[45,145],"LLM-Integrated":[47],"Applications":[48],"blur":[49],"line":[51],"between":[52],"data":[53,84,109],"and":[54,56,106,115,137,140,160,163,195,202],"instructions":[55],"reveal":[57],"several":[58],"new":[59],"attack":[60],"vectors,":[61],"using":[62],"Indirect":[63],"Prompt":[64],"Injection,":[65],"enable":[67],"adversaries":[68],"to":[69,86,102,191],"remotely":[70],"(i.e.,":[71],"without":[72],"a":[73,94,98],"direct":[74],"interface)":[75],"exploit":[76],"LLM-integrated":[77],"applications":[78],"by":[79],"strategically":[80],"injecting":[81],"prompts":[82,149],"likely":[85],"retrieved":[88,148],"at":[89],"inference":[90],"time.":[91],"derive":[93],"comprehensive":[95],"taxonomy":[96],"from":[97,211],"computer":[99],"security":[100,118],"perspective":[101],"broadly":[103],"investigate":[104],"impacts":[105],"vulnerabilities,":[107,188],"including":[108],"theft,":[110],"worming,":[111],"information":[112],"ecosystem":[113],"contamination,":[114],"other":[116,165],"novel":[117],"risks.":[119],"then":[121],"demonstrate":[122],"practical":[124],"viability":[125],"of":[126,177,186,198,205],"our":[127],"attacks":[128],"against":[129],"both":[130],"real-world":[131],"systems,":[132],"such":[133],"as":[134,152],"Bing":[135],"Chat":[136],"code-completion":[138],"engines,":[139],"GPT-4":[141],"synthetic":[142],"applications.":[143],"how":[146,162],"processing":[147],"act":[151],"arbitrary":[153],"code":[154],"execution,":[155],"manipulate":[156],"application's":[158],"functionality,":[159],"control":[161],"APIs":[166],"called.":[168],"Despite":[169],"increasing":[171],"reliance":[172],"on":[173],"LLMs,":[174],"effective":[175],"mitigations":[176],"these":[178,187,199],"emerging":[179],"threats":[180],"lacking.":[182],"By":[183],"raising":[184],"awareness":[185],"we":[189],"aim":[190],"promote":[192],"safe":[194],"responsible":[196],"deployment":[197],"powerful":[200],"models":[201],"development":[204],"robust":[206],"defenses":[207],"protect":[209],"users":[210],"potential":[212],"attacks.":[213]},"counts_by_year":[{"year":2026,"cited_by_count":60},{"year":2025,"cited_by_count":142},{"year":2024,"cited_by_count":86},{"year":2023,"cited_by_count":11}],"updated_date":"2026-05-04T08:30:34.212998","created_date":"2025-10-10T00:00:00"}