Researchers found a severe vulnerability within the common communication device’s particular service, Slack AI. An adversary might steal knowledge from non-public Slack channels by injecting malicious prompts into Slack AI.
Slack AI Vulnerability Allowed Stealing Information Through Immediate Injection
In response to a current post from PromptArmor, Slack AI exposes non-public channels’ knowledge and chats in response to immediate injection.
Slack AI is a just lately launched function from Slack that empowers customers with a swift AI assistant. This function lets customers search solutions to questions, generate channel highlights or recaps, and create thread summaries of lengthy conversations for prepared reference.
To attain all these functions, Slack AI has specific entry to customers’ conversations throughout non-public and public channels. Attackers might exploit this to entry knowledge from unrelated channels, notably non-public ones.
The researchers defined that an adversary might carry out immediate injection assaults to extract knowledge from non-public Slack channels. That’s as a result of the LLM can’t differentiate between real and malicious prompts. Therefore, an adversary might inject prompts into Slack AI to steal info from different channels with out becoming a member of them.
Initially, Slack AI solely ingested textual content messages. Nevertheless, the most recent variations additionally settle for different knowledge, akin to Google Drive hyperlinks and file attachments. This wide selection of knowledge accessible to Slack AI additionally expands the extent of knowledge susceptible to immediate injection assaults. An attacker might even question delicate knowledge, akin to non-public paperwork or API keys, from non-public, unrelated channels through Slack AI. For this, the attacker solely must create a public channel to immediate Slack AI.
The researchers have shared the technical particulars about this situation of their put up.
Salesforce Confirmed Deploying A Patch
After this discovery, the researchers responsibly disclosed the problem to the Slack staff. Nevertheless, they may not persuade the distributors in regards to the severity of the matter, as Slack deemed the proof of vulnerability inadequate.
Nonetheless, in a press release to The Register, a Salesforce spokesperson confirmed deploying a patch.
Once we turned conscious of the report, we launched an investigation into the described state of affairs the place, below very restricted and particular circumstances, a malicious actor with an present account in the identical Slack workspace may phish customers for delicate knowledge. We’ve deployed a patch to deal with the problem and don’t have any proof at the moment of unauthorized entry to buyer knowledge.
Tell us your ideas within the feedback.
supply: https://www.theregister.com/2024/08/21/slack_ai_prompt_injection/
