Perplexity.AI Is Susceptible to Prompt Injection From Arbitrary Pages ...
Earlier this week, I came across a blog post by Robb Knight discussing the questionable behavior of Perplexity AI and its scrapers. The post highlighted how Perplexity AI, despite claiming to honor robots.txt directives, was actually ignoring them. This behavior has raised concerns and even prompted an investigation by AWS to determine if Perplexity AI is violating their terms of service.
After reading Robb's post, I decided to test Perplexity AI myself and discovered a significant vulnerability - prompt injection. It appears that Perplexity AI can have prompts injected by the pages it analyzes, which could result in misleading or inappropriate responses.
Testing Prompt Injection
To test this vulnerability, I created a page with a simple prompt injection test. When I asked Perplexity AI to analyze the page, it fetched the content and responded in a way that indicated it had taken the page's content as part of the prompt.
I conducted several more tests, each confirming that Perplexity AI was indeed susceptible to prompt injection. Whether intentionally changing the response to a question or instructing it to override certain rules, Perplexity AI's responses were influenced by the injected prompts.
Implications of Prompt Injection
Perplexity AI markets itself as an "answers engine" that provides accurate and reliable information. However, its vulnerability to prompt injection raises concerns about the integrity of the information it delivers. Pages with injected prompts can potentially manipulate the results presented to users, leading to misinformation or biased responses.
It is crucial for AI-powered tools like Perplexity AI to ensure that their output accurately reflects the information available on the pages they analyze. Failure to address this vulnerability could result in a disinformation nightmare for users relying on such platforms.
Questionable Behavior
Despite media attention and scrutiny, Perplexity AI continues to exhibit concerning behavior. Requests made by Perplexity AI's crawlers often do not mention Perplexity in their user-agents, indicating an attempt to mask their identity. This deceptive behavior contradicts their claim to respect robots.txt directives and raises further doubts about the company's practices.
Additionally, the use of misleading user-agents and the distribution of crawler requests across various IPs suggest a deliberate effort to obfuscate Perplexity AI's activities. Such dishonest tactics undermine the trust users place in AI-powered search engines like Perplexity AI.
In conclusion, the susceptibility of Perplexity AI to prompt injection from arbitrary pages underscores the need for transparency and accountability in AI technologies. It is essential for companies like Perplexity AI to address these vulnerabilities and uphold the trust of their users.
