Query Injection’ Becomes Top AI Threat, Bypassing Code Expertise

The integration of AI agents—which independently scour the internet and interact with online services—into daily life has introduced a critical, easily exploitable vulnerability known as query injection or prompt injection.

This type of attack leverages the AI’s core functionality—its ability to follow natural language instructions—to manipulate its intended behavior.

Unlike traditional cyberattacks that require cleverly written code to cause damage, prompt injection exploits the fact that Large Language Models (LLMs) cannot reliably distinguish between a legitimate user instruction and a malicious command slipped into the input data.

Direct Injection: Occurs in real-time when a user’s prompt (e.g., “book a hotel”) is overridden by a hostile command (e.g., “wire $100 to this account”).

Indirect Injection: The attacker embeds nefarious prompts on public parts of the internet, such as on a web page or in an email. When the AI agent, built into browsers or other apps, encounters this booby-trapped data, it reads and executes the hidden commands, believing them to be legitimate instructions.

Experts like Eli Smadja of Check Point label this the “number one security problem” for LLMs. Both Meta and OpenAI have publicly acknowledged this “vulnerability” and “unresolved security issue,” respectively.

Major AI rivals are pouring resources into defenses, but striking a balance between security and the ease of use that consumers expect remains the central challenge.

Microsoft has integrated tools to detect malicious commands by analyzing the origin of the instructions.

OpenAI alerts users when agents visit sensitive websites and requires real-time human supervision for further action.

Security professionals suggest limiting the power given to any single AI agent, advocating for user approval before performing sensitive actions like exporting data or accessing bank accounts. Cybersecurity researcher Johann Rehberger emphasizes that AI agents are not yet mature enough to be trusted with important missions or data without constant human checks.