pith. sign in

arxiv: 2405.20234 · v3 · pith:ODRQLPEPnew · submitted 2024-05-30 · 💻 cs.AI

Hidden in Plain Sight: Exploring Chat History Tampering in Interactive Language Models

classification 💻 cs.AI
keywords chathistoryllmschatgptmodelreal-worldtamperingtemplates
0
0 comments X
read the original abstract

Large Language Models (LLMs) such as ChatGPT and Llama have become prevalent in real-world applications, exhibiting impressive text generation performance. LLMs are fundamentally developed from a scenario where the input data remains static and unstructured. To behave interactively, LLM-based chat systems must integrate prior chat history as context into their inputs, following a pre-defined structure. However, LLMs cannot separate user inputs from context, enabling chat history tampering. This paper introduces a systematic methodology to inject user-supplied history into LLM conversations without any prior knowledge of the target model. The key is to utilize prompt templates that can well organize the messages to be injected, leading the target LLM to interpret them as genuine chat history. To automatically search for effective templates in a WebUI black-box setting, we propose the LLM-Guided Genetic Algorithm (LLMGA) that leverages an LLM to generate and iteratively optimize the templates. We apply the proposed method to popular real-world LLMs including ChatGPT and Llama-2/3. The results show that chat history tampering can enhance the malleability of the model's behavior over time and greatly influence the model output. For example, it can improve the success rate of disallowed response elicitation up to 97% on ChatGPT. Our findings provide insights into the challenges associated with the real-world deployment of interactive LLMs.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Why Trust Your Agent? Empirical Security Gains from TRiSM-Guided Agentic Workflows in Healthcare

    cs.CR 2026-06 unverdicted novelty 4.0

    TRiSM-guided agentic workflows reduced RAG poisoning attack success from 31% to 10%, data-field injection from 42% to 25%, eliminated network injection, and raised report accuracy from 72.5% to 86.5% across five LLMs ...