this post was submitted on 08 Feb 2026
210 points (98.2% liked)

Technology

80859 readers
2949 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
210
Google Translate is vulnerable to prompt injection (www.greaterwrong.com)
submitted 1 day ago by Beep@lemmus.org to c/technology@lemmy.world
34 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Tar_alcaran@sh.itjust.works 30 points 1 day ago (1 children)

task-specific fine-tuning (or whatever Google did instead) does not create robust boundaries between “content to process” and “instructions to follow,”

Duh. No LLM can do that. There is no seperate input to create a boundary. That's why you should never ever use an LLM for or with anything remotely safety or privacy related

[–] lauha@lemmy.world 7 points 1 day ago (4 children)

This is the thing Indon't understand about AI. Why can't they make a separate imput for input and processing?

[–] TheBlackLounge@lemmy.zip 14 points 1 day ago (1 children)

It's only an issue with LLMs. And it's because they're generative, text completion engines. That is the actual learned task, and it's a fixed task.

It's not actually a chat bot. It's completing a chat log. This can make it do a whole bunch of tasks, but there's no separation of task description and input.

[–] 8uurg@lemmy.world 3 points 19 hours ago

Yep. LLMs are at their core text completion engines. We found out that when performing this completion, large enough models account for context enough to perform some tasks.

For example, "The following example shows how to detect whether a point is within a triangle:", would likely be followed by code that does exactly that. The chatbot finetuning shifts this behavior to happen in a chat context, and makes this instruction following behavior more likely to trigger.

In the end, it is a core part of the text completion that it performs. While these properties are usually beneficial (after all, the translation is also text that should adhere to grammar rules) when you have text that is at odds with itself, or chatbot-finetuned model is used, the text completion deviates from a translation.

[–] Tar_alcaran@sh.itjust.works 6 points 1 day ago* (last edited 1 day ago)

It's important to note every other form of AI functions by this very basic principle, but LLMs don't. AI isn't a problem, LLMs are.

The phrase "translate the word 'tree' into German" contains both instructions (translate into German) and data ('tree'). To work that prompt, you have to blend the two together.

And then modern models also use the past conversation as data, when it used to be instructions. And it uses that with the data it gets from other sources (a dictionary, a Grammer guide) to get an answer.

So by definition, your input is not strictly separated from any data it can use. There are of course some filters and limits in place. Most LLMs can work with "translate the phrase 'dont translate this' into Spanish", for example. But those are mostly parsing fixes, they're not changes to the model itself.

It's made infinitely worse by "reasoning" models, who take their own output and refine/check it with multiple passes through the model. The waters become impossibly muddled.

[–] testaccount372920@piefed.zip 6 points 1 day ago

From my understanding, most LLMs work by repeatedly putting the processing output back into the input until the result is good enough. This means that in many ways the input and the output are the same thing from the perspective of the LLM and therefore inseparable.

[–] SirHaxalot@nord.pub 1 points 23 hours ago

Maybe i misunderstand what you mean but yes, you kind of can. The problem in this case is that the user sends two requests in the same input, and the LLM isn't able to deal with conflicting commands in the system prompt and the input.

The post you replied to kind of seems to imply that the LLM can leak info to other users, but that is not really a thing. As I understand when you call the LLM it's given your input and a lot of context that can be a hidden system prompt, perhaps your chat history, and other data that might be relevant for the service. If everything is properly implemented any information you give it will only stay in your context. Assuming that someone doesn't do anything stupid like sharing context data between users.

What you need to watch out for though, especially with free online AI services is that they may use anything you input to train and evolve the process. This is a separate process but if you give personal to an AI assistant it might end up in the training dataset and parts of it end up in the next version of the model. This shouldn't be an issue if you have a paid subscription or an Enterprise contract that would likely state that no input data can be used for training.