← Back
OpenAI
OpenAI details security defenses for AI agents against prompt injection attacks
OpenAI APIChatGPT · securityfeatureapi · openai.com ↗

The Evolution of Prompt Injection Attacks

Early prompt injection attacks were relatively simple—malicious instructions embedded in external content like Wikipedia articles that models would follow without question. As AI models have grown more sophisticated, so have the attacks. Modern prompt injection increasingly employs social engineering tactics, making them resemble manipulation attempts on humans rather than simple instruction overrides. These attacks often combine seemingly legitimate requests with hidden instructions designed to exfiltrate sensitive data or perform unauthorized actions.

A Social Engineering Framework

OpenAI applies lessons from human-centric security to AI agent design. Rather than attempting perfect detection of malicious inputs (an inherently difficult problem similar to identifying misinformation), the approach focuses on constraining the damage even if manipulation succeeds. This mirrors how human customer service agents operate: they're given rules and limitations to prevent bad actors from exploiting their position, even when social engineering attempts do occur.

Technical Mitigations in ChatGPT

OpenAI combines social engineering insights with traditional security engineering, particularly source-sink analysis—identifying how untrusted external content (source) could reach dangerous capabilities (sink). The primary mitigation is called Safe Url, which detects when information learned during a conversation would be transmitted to third-party endpoints. When such transmissions are detected, ChatGPT either shows users the data being sent for confirmation or blocks the action.

Practical Implementation

Key defenses deployed across ChatGPT include:

  • Safety training that causes the agent to refuse most attempted manipulations
  • Safe Url detection for blocking unauthorized information transmission to third parties
  • Capability constraints that limit what actions agents can take in adversarial contexts
  • User confirmation prompts before sensitive data transmission

These measures reflect OpenAI's view that perfect attack prevention is impossible in environments where AI agents interact with external, potentially hostile content. Instead, the focus is on limiting exposure and impact.