Dropbox security research: prompt injection via control characters in GPT-3.5 and GPT-4
Dropbox's security team identified that user-controlled control characters in LLM prompt inputs can circumvent system-level instructions, enabling prompt injection attacks that cause models to betray context constraints or hallucinate.
The prompt template designed to constrain LLM queries to a specific context and prevent instruction leakage was defeated when sufficient control characters were prepended to the question parameter, regardless of instruction wording or formatting.
Dropbox demonstrated that prepending sufficient control characters to LLM prompt inputs causes GPT-3.5 and GPT-4 to betray their system instructions and hallucinate; the team shared findings with OpenAI and identified input sanitization as the primary mitigation.
Show all 5 reported metrics
Frequently asked questions
What did this team achieve with this AI workflow?
Dropbox demonstrated that prepending sufficient control characters to LLM prompt inputs causes GPT-3.5 and GPT-4 to betray their system instructions and hallucinate; the team shared findings with OpenAI and identified…
What tools did this team use?
GPT-3.5, GPT-4, ChatGPT, Python 3.
What results were reported?
Carriage returns required to trigger model instruction betrayal: 350 or more; backspaces required to trigger GPT-3.5 instruction betrayal: at least 450; GPT-3.5 context window token limit: 4096; GPT-4 context window extension factor: factor of four (source-reported, not independently verified).
What failed first in this deployment?
The prompt template designed to constrain LLM queries to a specific context and prevent instruction leakage was defeated when sufficient control characters were prepended to the question parameter, regardless of instr…
How is this workflow AI workflow structured?
LLM injection threat identified → Prompt template constructed → Control character injection scripted → LLM processes injected prompt → Instruction betrayal observed → Sanitization guidance recommended.