Drop #264 (2023-05-18): May `23 Quick Links Week Day #4 — Safety, Privacy, and Automation
🚨 [ChatGPT] Cross Plugin Request Forgery; 🎙️ Voice Assistance Without The Creepiness; ❊ Windmill
S'up, Droppers
?!We have a fun mix of busted AI, private AI, and old-school automation today.
If you do nothing else, please read the first section and — if motivated — let your mates know about the big security hole in one of ChatGPT's new capabilities that OpenAI does not intend to fix.
🚨 [ChatGPT] Cross “Plugin” Request Forgery
As promised, when I use ChatGPT for something, I tell you, and I used ChatGPT for this section for a few reasons, but, first, let's get the topic out of the way.
In a recent blog post, EmbraceTheRed breaks down how one's use of ChatGPT's new plugins can introduce security risks. It seems that malicious plugins can exfiltrate chat history through images. O_o
By including an image with a URL containing encoded chat data, an attacker can steal information from the conversation. The author demonstrates this by having ChatGPT summarize and encode past chat history into an image URL. Plugins also allow one plugin to invoke another, opening up risks of a fun new class of vulnerabilities dubbed “Cross Plugin Request Forgery”. To mitigate these issues, plugins should have limited access to chat history and a security model defining responsibilities is needed. The author responsibly disclosed these issues to OpenAI, who said image markdown injection is a feature with no planned changes. o_O
You should read the article and 100% be a bit more careful about the kinds of sites you have ChatGPT interact with, and ensure you start a fresh session with it before using the “connected” features.
So, I asked ChatGPT 4 (with the “free” web plugin enabled) to summarize the article. It appeared to fire up a virtual machine or container that used a headless browser to grab the contents from the site. Except, things did not go perfectly for it.
Here's an excerpt:
In the rapidly evolving field of AI,
it's crucial to keep an eye on potential security issues.
A recent blog post on EmbraceTheRed, published on May 16, 2023,
highlights potential issues with OpenAI's ChatGPT's plugins
in the context of data exfiltration and cross plugin request forgery10Cross Site Request Forgeryactually, but we will need a new name for it, maybeCross Plugin Request Forgery",
"pub_date":null}}​​oaicite:{"index":2,"metadata":{"title":"embracethered.com","url":"https://embracethered.com/blog/posts/2023/chatgpt-webpilot-data-exfil-via-markdown-injection/",
"text":"Conclusion\n\nWith the advent of plugins Indirect Prompt Injections are now a reality within ChatGPT’s ecosystem. As attacks evolve we will probably learn and see nefarious text and instructions on websites, blog posts, comments,.. to attempt to take control of your AI.\n\n### Responsible Disclosure\n\nI first disclosed the image markdown injection issue to Open AI on April, 9th 2023.\n\nAfter some back and forth, and highlighting that plugins will allow to exploit this remotely, I was informed that image markdown injection is a feature and that no changes are planned to mitigate this vulnerability",
"pub_date":null}}`.
Along with a mediocre initial summary (there is more in the actual “answer”), we have some internal tooling JSON spilling out (it happened a few more times in the output).
Like most of the “AI” drops since ~November 2022, services seem to be rushed to market without any concern for safety (even the safety of the companies who drop said services).
In case you want to know when ChatGPT is hitting your own websites, here's an example request header:
Host: enqcpupttby2l.x.pipedream.net
X-Amzn-Trace-Id: Root=1-6465ff01-1b299a8d5d87ec5b1ffafb5f
User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ChatGPT-User/1.0; +https://openai.com/bot
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
x-datadog-trace-id: 8742787377270264311
x-datadog-parent-id: 18207490660768975075
x-datadog-sampling-priority: 1
x-datadog-tags: _dd.p.dm=-1
traceparent: 00-000000000000000079549ecc60f691f7-fcae0049de6088e3-01
tracestate: dd=s:1;t.dm:-1
NOTE: I did not ask ChatGPT to hit any of my sites, for that header test as it’s already stolen sufficient content from me. I fired up a pipedream 'request bin' instance and used the metadata from it.
I’ll be keeping an eye on this user-agent both at work and on personal sites:
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ChatGPT-User/1.0; +https://openai.com/bot
🎙️ Voice Assistance Without The Creepiness
We removed 99% of all but Siri eavesdropping capabilities from our abode a few years ago; and, finally, got rid of the last creepy component — our Ring doorbell — within the past six months (I'll check receipts to get the exact date when back at the abode).
A big problem with Siri is that, well, it's an idiot. Not that the Echo or whatever Google's assistant was/is called was much better, but both of those are at least going to — or now have — some increased “smarts” thanks to our new LLM overlords. Thanks to several apparent missteps, Apple may not have a competitive offering in this space this year.
Since this is a quick hit week, I'll dig in more in the coming months, but wanted to note that I'm likely settling on Willow in an ESP-BOX to provide some augmented voice smarts.
I know there are other tinkerers out there who may be interested in such a non-creepy solution. I also know I don't know everything, so if y'all have solved this first-world problem in another way, I've love to hear about it in the comments or any other place you're comfortable sharing info.
❊ Windmill
I keep trying to move away from cron
and keep being disappointed in the FOSS offerings of most “workflow runners” I've tried.
Since, thanks to all of you who subscribe to the Drop (since I would never have poked at Caddy again if it weren't for y'all), I'm giving Windmill a go to see if it scratches the modern automation itch.
It's an open-source alternative to Retool, Airplane and n8n (et al.) to build all your internal tools (endpoints, workflows, UIs) through simple scripts — in Typescript, Python, Go & Bash — and low code builders.
The Docker bootstrap was super easy to setup remotely (since I'm on the road this week), and I'll report back on whether this survives the “is it better than hrbrmstr's decades' old janky cron setup” test.
FIN
Fear not, intrepid readers! There shall most certainly be a WPE tomorrow! ☮
I totally need a better group handle for subscribers.
Definitely excited for more in-depth exploration of less creepy voice assistants/automation!