A researcher has identified an active prompt injection attack on the Moltbook platform, aimed at stealing cryptocurrencies by controlling AI agents.

Attack Details

The malicious payload was hidden within a seemingly innocuous post, a guide on using Base chain and Viem. At the bottom of the post, there was code designed to force the AI agent to transfer 0.1 ETH to a specific address, bypassing security checks.

Implications for developers

This incident underscores the critical need for developers to treat all web and social content as untrusted data. It is essential to strictly separate read tools from write tools and require explicit confirmation for any transaction or action that modifies the system state. Other defensive measures include blocking injection markers and logging the provenance of each action.

Security Measures

The researcher recommends not storing private keys directly in agents, but using signing systems with policy control. Furthermore, they suggest implementing detailed logging to track the provenance of each action taken by the agent, facilitating the identification and correction of any vulnerabilities. For those considering on-premise deployments, there are architectural trade-offs to consider; AI-RADAR offers analytical frameworks on /llm-onpremise to evaluate these aspects.