Simon Willison’s Weblog


Friday, 19th January 2024

AWS Fixes Data Exfiltration Attack Angle in Amazon Q for Business. An indirect prompt injection (where the AWS Q bot consumes malicious instructions) could result in Q outputting a markdown link to a malicious site that exfiltrated the previous chat history in a query string.

Amazon fixed it by preventing links from being output at all—apparently Microsoft 365 Chat uses the same mitigation.

# 12:02 pm / aws, security, ai, prompt-injection, generative-ai, llms, markdown-exfiltration