Prompt-in-Content Attacks: Exploiting Uploaded Inputs to Hijack LLM Behavior

Large Language Models (LLMs) are widely deployed in applications that accept user-submitted content, such as uploaded documents or pasted text, for tasks like summarization and question answering. In this paper, we identify a new class of attacks, prompt in content injection, where adversarial instructions are embedded in seemingly benign inputs. When processed by the LLM, these hidden prompts can manipulate outputs without user awareness or system compromise, leading to biased summaries, fabricated claims, or misleading suggestions. We demonstrate the feasibility of such attacks across popular platforms, analyze their root causes including prompt concatenation and insufficient input isolation, and discuss mitigation strategies. Our findings reveal a subtle yet practical threat in real-world LLM workflows.

Key Contributions

• Formalizes prompt-in-content injection as a new attack class where adversarial instructions embedded in uploaded documents hijack LLM behavior during normal user tasks
• Designs and evaluates four attack variants (task suppression, output substitution, behavioral redirection, framing manipulation) across seven major LLM platforms including ChatGPT 4o, Claude Sonnet, Grok 3, and DeepSeek R1
• Demonstrates a covert information exfiltration extension where embedded prompts encode chat history contents into attacker-controlled URLs, and analyzes root causes (prompt concatenation, insufficient input isolation) with mitigation strategies

🛡️ Threat Analysis

Details

Similar Papers