Georg Dresler

Aug 20, 2024 • World Congress 2024

Manipulating The Machine: Prompt Injections And Counter Measures

A Chevy chatbot was tricked into offering cars for $1. This talk explores the serious security threat of prompt injection and shows you how to stop it.

#1about 4 minutes

Understanding the three layers of an LLM prompt

A prompt is structured into three layers: the system prompt for instructions, the context for additional data, and the unpredictable user input.

#2about 3 minutes

How a car dealer's chatbot was easily manipulated

A Chevrolet car dealer's chatbot was exploited by users to generate humorous and unintended responses, including a legally binding offer for a $1 car.

#3about 4 minutes

Stealing system prompts to bypass security rules

Attackers can use creative phrasing like "repeat everything above" to trick an LLM into revealing its hidden system prompt and instructions.

#4about 6 minutes

Why attackers use prompt injection techniques

Prompt injections are used to access sensitive business data, gain personal advantages like bypassing HR filters, or exploit integrated tools to steal information like 2FA tokens.

#5about 4 minutes

Exploring simple but ineffective defense mechanisms

Initial defense ideas like avoiding secrets or tool integration are impractical, and simple system prompt instructions are easily circumvented by attackers.

#6about 4 minutes

Using fine-tuning and adversarial detectors for defense

More effective defenses include fine-tuning models on domain-specific data to reduce reliance on instructions and using specialized adversarial prompt detectors to identify malicious input.

#7about 2 minutes

Key takeaways on prompt injection security

Treat all system prompt data as public, use a layered defense of instructions, detectors, and fine-tuning, and accept that no completely reliable solution exists yet.

Riverty
Berlin, Germany

Intermediate

Python

Docker

+1

Wilken GmbH
Ulm, Germany

Senior

Kubernetes

AI Frameworks

+3

Picnic Technologies B.V.
Amsterdam, Netherlands

Intermediate

Senior

Python

Structured Query Language (SQL)

+1

Increasing the value of talk recordings post-event

04:57 MIN

Increasing the value of talk recordings post-event

Cat Herding with Lions and Tigers - Christian Heilmann

Why corporate AI adoption lags behind the hype

03:28 MIN

Why corporate AI adoption lags behind the hype

What 2025 Taught Us: A Year-End Special with Hung Lee

Preventing exposed API keys in AI-assisted development

03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Automating formal processes risks losing informal human value

03:48 MIN

Automating formal processes risks losing informal human value

What 2025 Taught Us: A Year-End Special with Hung Lee

Unlocking LLM potential with creative prompting techniques

04:59 MIN

Unlocking LLM potential with creative prompting techniques

WeAreDevelopers LIVE – Frontend Inspirations, Web Standards and more

Incentivizing automation with a 'keep what you kill' policy

05:18 MIN

Incentivizing automation with a 'keep what you kill' policy

What 2025 Taught Us: A Year-End Special with Hung Lee

The security risks of AI-generated code and slopsquatting

05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Balancing the trade-off between efficiency and resilience

03:38 MIN

Balancing the trade-off between efficiency and resilience

What 2025 Taught Us: A Year-End Special with Hung Lee

Featured Partners

ChatGPT, ignore the above instructions! Prompt injection attacks and how to avoid them.

ChatGPT, ignore the above instructions! Prompt injection attacks and how to avoid them.

Sebastian Schrittwieser

about 2 years ago • World Congress 2023

Prompt Injection, Poisoning & More: The Dark Side of LLMs

Prompt Injection, Poisoning & More: The Dark Side of LLMs

Keno Dreßel

about 4 months ago • World Congress 2025

Beyond the Hype: Building Trustworthy and Reliable LLM Applications with Guardrails

Beyond the Hype: Building Trustworthy and Reliable LLM Applications with Guardrails

Alex Soto

about 4 months ago • World Congress 2025

The AI Security Survival Guide: Practical Advice for Stressed-Out Developers

The AI Security Survival Guide: Practical Advice for Stressed-Out Developers

Mackenzie Jackson

about a year ago • World Congress 2024

Prompt Engineering - an Art, a Science, or your next Job Title?

Prompt Engineering - an Art, a Science, or your next Job Title?

Maxim Salnikov

about a year ago • World Congress 2024

Hacking AI - how attackers impose their will on AI

Hacking AI - how attackers impose their will on AI

Mirko Ross

about 2 years ago • World Congress 2023

Using LLMs in your Product

Using LLMs in your Product

Daniel Töws

about a year ago • World Congress 2024

Skynet wants your Passwords! The Role of AI in Automating Social Engineering

Skynet wants your Passwords! The Role of AI in Automating Social Engineering

Wolfgang Ettlinger & Alexander Hurbean

about 2 years ago • World Congress 2023

Related Articles

View all articles

CH

Chris Heilmann

Dev Digest 138 - Are you secure about this?

Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...

Dev Digest 138 - Are you secure about this?

DC

Daniel Cranney

Dev Digest 171: AI in disguise, Doomed tech and system prompts

Inside last week’s Dev Digest 171 . 🤖 Insights from LLM system prompts 👎 Why agents are bad pair programmers 🔒 All vibe coded apps share a security flaw 📅 Why are 2025/05/28 and 2025-05-28 different dates in JS? 🧱 Pure CSS Minecraft 🎧 Create web aud...

Dev Digest 171: AI in disguise, Doomed tech and system prompts

DC

Daniel Cranney

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

This week, we’re continuing our look-back on some of the best moments from the Weekly Developer Show from 2025. Here’s what some of our fantastic guests had to say… Sebastian Gingter cracked open the idea of “slopsquatting” and explained why we shou...

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

DC

Daniel Cranney

Dev Digest 182: GPT5 Prompts, MCP Vulnerabilities, Code Traps

Inside last week’s Dev Digest 182 . 📝 A guide to prompting GPT-5 ⏰ Extreme hours at AI startups 💻 AI is a Junior Dev, and it needs a lead 🐴 Trojans embedded in SVG’s ⚠️ The State of MCP Security ⚒️ A reference manual for people who design and build ...

Dev Digest 182: GPT5 Prompts, MCP Vulnerabilities, Code Traps

From learning to earning

Jobs that call for the skills explored in this talk.

Prompt Engineer - Generative AI

Ethikos
Barcelona, Spain

Remote

API

Azure

Python

Docker

+2

Agentic AI Architect - Python, LLMs & NLP

FRG Technology Consulting

Intermediate

Azure

Python

Machine Learning

GenAI Developer - Prompt Engineering & Data Workflows

Mindrift

Remote

£41K

Junior

JSON

Python

Data analysis

+1

AI Prompt Engineer

Future plc
Charing Cross, United Kingdom

Bash

Linux

Azure

Python

Docker

+4

Conversational AI & Machine Learning Engineer

Deloitte
Leipzig, Germany

Azure

DevOps

Python

Docker

PyTorch

+6

{"@context":"https://schema.org/","@type":"JobPosting","title":"Software Engineer 2 - Full-Stack - Behavioral Security Products

Abnormal AI

Intermediate

API

Spark

Kafka

Python

Machine Learning Engineer - Large Language Models (LLM) - Startup

Startup
Charing Cross, United Kingdom

PyTorch

Machine Learning

AI Manipulation and Application Expert (Human)

Neura Robotics GmbH

Intermediate

C++

Python

Software Engineer with a focus on AI

Power Reply GmbH & Co. KG

Remote

API

Java

Rust

Azure

+12