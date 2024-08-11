AI in practice
Matthias Bastian

Apple Intelligence in MacOS 15.1 Beta 1 is vulnerable to a classic AI exploit

Midjourney prompted by THE DECODER
Apple Intelligence in MacOS 15.1 Beta 1 is vulnerable to a classic AI exploit
Online journalist Matthias is the co-founder and publisher of THE DECODER. He believes that artificial intelligence will fundamentally change the relationship between humans and computers.
Profile
E-Mail
Content
summary Summary

A developer has successfully manipulated Apple Intelligence using prompt injection, bypassing the AI's intended instructions to respond to arbitrary prompts instead.

Ad

Apple's new AI system, Apple Intelligence, available to developers in MacOS 15.1 Beta 1, has proven susceptible to prompt injection attacks like other large language model-based AI systems. Developer Evan Zhou demonstrated this vulnerability in a YouTube video.

Zhou aimed to manipulate Apple Intelligence's "Rewrite" feature, which normally rewrites and improves text, to respond to any prompt. A simple "ignore previous instructions" command initially failed.

However, Zhou was able to use information about Apple Intelligence's system prompts shared by a Reddit user. In a file, he discovered templates for the final system prompts and special tokens that separate the AI system role from the user role.

Ad
Ad

Using this knowledge, Zhou created a prompt that overwrote the original system prompt. He prematurely terminated the user role, inserted a new system prompt instructing the AI to ignore the previous instructions and respond to the following text, and then triggered the AI's response.

After some experimentation, the attack was successful: Apple Intelligence responded with information Zhou hadn't asked for, confirming that the prompt injection worked. Zhou published his code on GitHub.

Prompt injection is a known vulnerability in AI systems where attackers insert malicious instructions into prompts to alter the AI's intended behavior. This issue has been known since at least GPT-3, which was released in May 2020, and remains unresolved.

Apple deserves credit for making it relatively difficult to prompt inject Apple Intelligence. Other chat systems can be tricked much more easily by simply typing directly into the chat window or with hidden text in images. Even systems like ChatGPT or Claude can still be vulnerable to prompt injection under certain circumstances, despite countermeasures.

Ad
Ad
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.
Support our independent, free-access reporting. Any contribution helps and secures our future. Support now:
Bank transfer
Summary
  • Developer Evan Zhou has managed to manipulate Apple's Apple Intelligence via prompt injection, causing it to ignore instructions and respond to arbitrary prompts.
  • Zhou used information about Apple Intelligence's system prompts and special tokens published by a Reddit user to create a prompt that overwrites the original system prompt and triggers the AI's response in a specific way.
  • Prompt injection is a known vulnerability in AI systems, where attackers inject malicious instructions to manipulate the AI's behavior. While more difficult to achieve with Apple Intelligence than with other systems, the attack demonstrates that the problem hasn't been solved, although it's been known since at least GPT-3.
Sources
YouTube
Online journalist Matthias is the co-founder and publisher of THE DECODER. He believes that artificial intelligence will fundamentally change the relationship between humans and computers.
Profile
E-Mail
AI in practice

Alibaba's new math-optimized AI models Qwen2-Math school other top LLMs on math tasks

News, tests and reports about VR, AR and MIXED Reality.
Looking Glass: First holo displays are sent to customers VR fitness with AI assistant: FitXR for Meta Quest gets new features Want to upgrade your Meta Quest 3? Get some free accessories from KIWI MIXED-NEWS.com
AI in practice

AI learns athletes' steroid profiles to catch doping with minimal data

AI in practice

Anthropic tests its "next-generation system for AI safety mitigations"

Google News
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.

Apple Intelligence in MacOS 15.1 Beta 1 is vulnerable to a classic AI exploit

Bank details

IBAN: DE87 1203 0000 1086 0070 75
Account holder: DEEP CONTENT GbR
Purpose: Support THE DECODER
AI and society

Chipmakers prepare for the angstrom age with successful tests of next-gen lithography machines

AI in practice

Is OpenAI's brain drain a sign of AI winter or just bad management?

AI in practice
Update

OpenAI has a "highly accurate" ChatGPT text detector, but won't release it for now

Google News