€0.02 Transfer Enables Prompt Injection in Bunq AI Assistant
Indirect prompt injection via bank transfers demonstrated in Bunq AI assistant.
Blue41 testing showed a €0.02 transfer carrying an embedded prompt injection payload allowed an attacker to manipulate Bunq's financial AI assistant into issuing a personalized reauthentication request (Blue41, https://blue41.com/blog/how-we-helped-bunq-secure-their-financial-ai-assistant/).
Transaction descriptions retrieved as LLM context were processed as instructions rather than data, with the assistant autonomously generating responses that referenced real account activity.
The same boundary failure applies to any AI assistant ingesting third-party transaction records, documents or messages without per-source trust controls.
Security Analyst: Untrusted transaction fields fed directly into LLM context enable autonomous phishing without user device compromise.
Sources (2)
- [1]Primary Source(https://blue41.com/blog/how-we-helped-bunq-secure-their-financial-ai-assistant/)
- [2]Related Source(https://arxiv.org/abs/2302.12173)