What happens if an attacker calls an LLM tool or plugin recursively during an Indirect Prompt Injection? Could this be an issue and drive up costs, or DoS a system?
I tried it with ChatGPT, and it indeed works and the Chatbot enters a loop! 😊
However, for ChatGPT users this isn’t really a threat, because:
- It’s subscription based, so OpenAI would pay the bill.
- There seems to be a call limit of 10 times in a single conversation turn (I tried a few times).
- Lastly, one can click “Stop Generating” if the loop keeps ongoing.
Other applications might be vulnerable to this threat, especially if there is backend automation service consuming untrusted data and calling tools.
Things could become costly quickly!
Here is a short video: