Is it easy to get write access to the documents that somebody else’s project relies on for answers? (Is this a general purpose problem, or is it more like a… privilege escalation, in a sense).
- if the webpage lacks classic CSRF protections, a prompt injection could append an “image” that triggers a modifying request (e.g. “<img src=https://example.com/create_post?content=…>”)
- if the webpage permits injection of uncontrolled code to the page (CSS, JS and/or HTML), such as for the purposes of rendering a visualization, then a classic “self-XSS” attack could be used to leak credentials to an attacker who would then be able to act as the user.
Both assume the existence of a web vulnerability in addition to the prompt injection vulnerability. CSRF on all mutating endpoints should stop the former attack, and a good CSP should mitigate the latter.
It could also be part of a subtle phishing attack, many users wouldn't think twice if a message from their "manager" told them to use a new site as a source, which has hidden payload text (in this case white-on-white font, but they mention there are other ways to achieve the same thing) so it looks normal even if they think to check it.
