AVID-2023-V016
Vulnerability from avid – Published: 2023-03-31 – Updated: 2023-03-31 ATLAS Case StudySummary
The publicly available Streamlit application [MathGPT](https://mathgpt.streamlit.app/) uses GPT-3, a large language model (LLM), to answer user-generated math questions.
Recent studies and experiments have shown that LLMs such as GPT-3 show poor performance when it comes to performing exact math directly[<sup>\[1\]</sup>][1][<sup>\[2\]</sup>][2]. However, they can produce more accurate answers when asked to generate executable code that solves the question at hand. In the MathGPT application, GPT-3 is used to convert the user's natural language question into Python code that is then executed. After computation, the executed code and the answer are displayed to the user.
Some LLMs can be vulnerable to prompt injection attacks, where malicious user inputs cause the models to perform unexpected behavior[<sup>\[3\]</sup>][3][<sup>\[4\]</sup>][4]. In this incident, the actor explored several prompt-override avenues, producing code that eventually led to the actor gaining access to the application host system's environment variables and the application's GPT-3 API key, as well as executing a denial of service attack. As a result, the actor could have exhausted the application's API query budget or brought down the application.
After disclosing the attack vectors and their results to the MathGPT and Streamlit teams, the teams took steps to mitigate the vulnerabilities, filtering on select prompts and rotating the API key.
[1]: https://arxiv.org/abs/2103.03874 "Measuring Mathematical Problem Solving With the MATH Dataset"
[2]: https://arxiv.org/abs/2110.14168 "Training Verifiers to Solve Math Word Problems"
[3]: https://lspace.swyx.io/p/reverse-prompt-eng "Reverse Prompt Engineering for Fun and (no) Profit"
[4]: https://research.nccgroup.com/2022/12/05/exploring-prompt-injection-attacks/ "Exploring prompt-based attacks"
Risk domain
Security
SEP view
S0403: Adversarial Example
Lifecycle
L06: Deployment
Organisations
MathGPT (https://mathgpt.streamlit.app/) (deployer)
Affected artifacts
1 artifact
| Artifact | Type |
|---|---|
| MathGPT (https://mathgpt.streamlit.app/) | System |
References
5 references
| URL | Label |
|---|---|
| https://atlas.mitre.org/studies/AML.CS0016 | Achieving Code Execution in MathGPT via Prompt Injection |
| https://arxiv.org/abs/2103.03874 | Measuring Mathematical Problem Solving With the MATH Dataset |
| https://arxiv.org/abs/2110.14168 | Training Verifiers to Solve Math Word Problems |
| https://lspace.swyx.io/p/reverse-prompt-eng | Reverse Prompt Engineering for Fun and (no) Profit |
| https://research.nccgroup.com/2022/12/05/explorin… | Exploring prompt-based attacks |
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…