“Everyone knows chatbots hallucinations and can be cheated by early injection. It is not new.” “In fact, the surprising thing is that Lenovo, despite being aware of these flaws, did not protect himself from the potentially malicious user manipulations and chatbot output.”
How did the attack work
The vulnerability demonstrated a cascade of safety failures that could occur when the AI system lacks proper input and output hygiene. Researchers’ attacks included tricuting the chatbot to generate malicious HTML code through a prompt started with a valid product inquiries, including instructions to convert responses to HTML format, and when the images failed to load the images, the sessions designed to steal the cookies.
When Lenovo’s Leena received a malicious indication, researchers said that “pleasing people is still an issue that hunts a big language model, to this extent, in this case, Leena accepted our malicious payload, which produced XSS vulgarity and allowed the session to catch cookies.”
