Grok 3 is highly vulnerable to indirect prompt injection
Grok 3 is highly vulnerable to indirect prompt injection. xAI's new Grok 3 is so far exclusively deployed on Twitter (aka "X"), and apparently uses its ability to search for relevant tweets as part of every response.
This is one of the most hostile environments I could imagine with respect to prompt injection attacks!
Here, Fabian Stelzer notes that you can post tweets containing both malicious instructions and unique keywords in a way that will cause any future query to Grok that mentions those...
Read more at simonwillison.net