Skip to main content
Skip table of contents

Context Leakage

Short description

Unintentional exposure of sensitive internal documents, intellectual property or system prompt of the chatbot through the output of an AI model. 

Technical Details

Context leakage occurs when user input manipulates a chatbot's original purpose to instead reveal parts or all of its system prompt, confidential documents, information, or tools. 

Even a small prompt leak can enable an adversarial user to extract more of the prompt or execute other attacks like jailbreaks and manipulation. Since carefully designed prompts represent a company's intellectual property and are crucial to the chatbot's function, they must remain confidential. Additionally, prompts may contain sensitive API keys and internal information that should stay within the company. There's also a risk of exposing the chatbot's tools, functions, complete schema, and agent architecture. 

The key vulnerability arises when an adversarial user discovers which delimiter marks user input in the prompt. They can then fake the input's end and make their text appear as a continuation of the system prompt. 

Examples: 

An education chatbot with the secret instruction "Act as 5 year old", once a user discovers this instruction, they can replicate the chatbot's behavior, making the original chatbot redundant.

Mend AI's context leakage red teamer uses previous attack attempts as input, along with both confidential and non-confidential parts of the chatbot prompt and its tools, if the chatbot owner opts for grey box rather than black box testing. The attacker LM follows three steps: Obfuscate sensitive words and the goal of extracting the system prompt, rephrase the initial prompt, and employ creative approaches that the target LM isn't trained to defend against. These elements combine into a single jailbreaking prompt, with each adversarial attempt starting a new conversation. 

Chat example

image-20250703-061423.png

Explanation

Text contains full sentences and instructions that are described in the confidential part of the system prompt, including mentioning an inner function and its API key. 

List of variations

  • Default language 

  • Base64Encode 

  • LeetSpeak 

  • StringJoin 

  • Multilanguage 

  • Convert to Audio 

  • RAG Variation 

  • Emojify 

  • Gaussian Filter 

  • Mirror Image 

  • Salt & Pepper 

  • DALL-E Generated Image 

  • Document Variation 

List of strategies

  • One Show w/ Retry 

  • Multishot 

Red Teamer

Black box - Adversarial User - No Info

The Red Teamer attempts to make the target AI Assistant reveal confidential information from its system prompt. The red teamer iteratively refines adversarial prompts by identifying confidential parts of the system prompt, employing tactics like roleplaying, euphemisms, and creative obfuscation to bypass safety measures, and ultimately extracting sensitive details. This red teamer operates with Multishot and One Shot with Retry strategies, having access only to the input attack message and conversation history. 

Gray box - Adversarial User - Informed/Leaker

The Red Teamer attempts to make the target AI Assistant leak confidential information from its system prompt by analyzing both confidential and non-confidential sections, along with raw tool definitions. Using obfuscation techniques like synonyms and euphemisms, combined with iterative roleplaying, the Red Teamer works to bypass the model's safety measures. This approach uses the One Shot with Retry Strategy. The Red Teamer has access to the system prompt, tools/functions, input attack message, and conversation history. 

Multimodal support

  • Text 

  • Image 

  • Voice 

  • Document 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close