Remix.run Logo
wxw 3 hours ago

> Attacker leaves the comment on a creator's video.

> Creator opens YouTube studio's comment tab.

> Creator clicks a suggested AI prompt (Designed by YouTube)

> Injection fires, attacker-controlled content appears in the response.

It's insane that YouTube doesn't see prompt injection as a bug.

jdiff 3 hours ago | parent | next [-]

It opens a can of worms for them if they do consider prompt injection a bug because there's ultimately no defense. If they accept this, there are instantly hundreds of other moles they now have to whack or pay out for.

Or dismiss them all as social engineering and keep it moving.

Dylan16807 3 hours ago | parent | prev | next [-]

Yeah, if going to site and just clicking a link given to me by the site itself is getting socially engineered, then something is very wrong with that site.

krackers 2 hours ago | parent [-]

Youtube comments are also links given by the site. I think in this case it's not necessarily the prompt injection that's the issue but the fact that untrusted content allows formatted links. YouTube doesn't allow clicabkle links in comments iirc, so the same needs to be applied here.

jdiff an hour ago | parent | next [-]

Those are pretty clearly delineated as user-generated content, and also aren't able to be modified to include information that the malicious user doesn't have another way of accessing.

Dylan16807 2 hours ago | parent | prev [-]

If comments allowed links in general, this would be one step less egregious, but it would still be a huge issue if clicking a comment link could leak private information. The fact that the prompt injection can customize the link before giving it to the user is the bulk of the problem here. If it just regurgitated a link it would be a flaw but a notably smaller flaw.

muldvarp 3 hours ago | parent | prev | next [-]

Well prompt injection is pretty much unfixable. So if they actually saw this as a security vulnerability they would have to remove this feature.

afarah1 2 hours ago | parent [-]

Couple of things that could be done, from the top of my head:

- Strip links, script tags, etc - Apply the same filters used in user comments - Add a warning indicating user-generated content may be present

The post suggests the UX is problematic in that it allows user-generated links to pass as YouTube generated content. I'm not familiar with Creator Studio to know if this is the case, but if so, simple changes can go a long way.

latexr 2 hours ago | parent | prev | next [-]

> It's insane that YouTube doesn't see prompt injection as a bug.

Insane but not unexpected, from the company who literally sang at us that “there’s no wrong way to prompt”.

https://www.youtube.com/watch?v=9bBfYX8X5aU&t=48s

IshKebab an hour ago | parent | prev [-]

I dunno this seems like a quite far fetched attack with minimal impact in the very unlikely case that it succeeds.