What is prompt injection, and what's the difference between direct and indirect injection?
Prompt injection crafts inputs that hijack an LLM's behaviour so it follows the attacker's instructions instead of the original ones — direct comes through the user channel, indirect is hidden in data the model reads.
* Direct vs indirect prompt injection: attacker-as-user vs payload hidden in third-party content. *
Prompt injection is an attack where adversaries craft inputs that make an LLM ignore its original instructions and follow the attacker's instead.
- Direct injection — malicious instructions sent directly through the normal input channel (the user types "Ignore previous instructions…").
- Indirect injection — malicious instructions planted in data the model will process: a website, document, email, CV, or database the model is asked to summarize/read. Example: the user asks "Summarise this document," and the document secretly contains "Ignore previous instructions…", hijacking the response.
Indirect injection is especially dangerous because the victim user is innocent — the payload rides in third-party content.
Tip: Direct = the attacker is the user. Indirect = the attacker poisoned a document/website the trusting user (or agent) feeds to the model.
Go deeper:
Prompt injection (Wikipedia) — the direct vs indirect taxonomy, real incidents and mitigation overview.