← Back to Schlack Lab ARCANUM Training Lab

Schlack — Indirect Prompt Injection Through AI Summarization

Based on the PromptArmor Slack AI disclosure (Aug 2024) — private channel data exfiltration via indirect prompt injection

What Happened Slack AI

In August 2024, security researchers at PromptArmor discovered and responsibly disclosed a critical vulnerability in Slack AI — Slack's built-in assistant that summarizes channel messages and answers natural-language queries. The vulnerability allowed an attacker to exfiltrate private data from Slack channels they had no access to using indirect prompt injection.

The attack worked as follows:

A key detail that made this attack especially dangerous: Slack AI did not cite the attacker's public channel in its response. The citation only referenced the victim's private channel, making the injection nearly impossible to trace. Even worse, the attacker's message didn't appear in the first page of search results — the victim would never know the injection existed.

The Phishing Variant

PromptArmor also demonstrated a phishing attack chain using the same mechanism. Instead of exfiltrating data, the injected instruction caused Slack AI to render a phishing link disguised as a "reauthenticate" prompt. The attacker could reference specific individuals (e.g., a manager or executive) in the injection, enabling spear phishing of targeted users through AI-generated summaries.

The August 14th Expansion

On August 14, 2024 — the same day PromptArmor disclosed the vulnerability — Slack AI added support for ingesting uploaded files and Google Drive documents into its answers. This dramatically widened the attack surface. An attacker no longer needed to post a message in Slack at all — a malicious instruction hidden in a PDF (e.g., in white text) that a user downloaded and uploaded to Slack could achieve the same downstream exfiltration when Slack AI processed the file as context.

Responsible Disclosure Timeline

  • August 14: PromptArmor submits initial disclosure to Slack
  • August 15: Slack requests additional information; PromptArmor sends videos, screenshots, and notifies Slack of intent to publicly disclose given severity
  • August 16: Slack asks clarifying questions; PromptArmor responds
  • August 19: Slack reviews and deems evidence insufficient, stating that public channel messages "can be searched for and viewed by all Members of the Workspace" — calling it "intended behavior"

Given the proliferation of Slack and the volume of confidential data within it, PromptArmor proceeded with public disclosure so users could adjust their settings to reduce exposure. This highlights a broader industry challenge: prompt injection is fundamentally new and often misunderstood, even by security teams at major platforms.

Related: EchoLeak Microsoft Copilot

In 2025, a similar vulnerability dubbed EchoLeak (CVE-2025-32711) was discovered affecting Microsoft 365 Copilot. An attacker would send a crafted email with hidden prompt injection to a victim's inbox. When the victim asked Copilot to summarize their inbox, the LLM processed the email's content as trusted data, executed the hidden instructions, and exfiltrated sensitive internal files to an attacker-controlled server. The victim only needed to ask for a summary — a completely normal action.

Why It Matters

This class of vulnerability — indirect prompt injection through AI-summarized content — represents a fundamental challenge in LLM-powered productivity tools. When an AI assistant processes untrusted user-generated content (chat messages, emails, documents) as context for summarization or analysis, any malicious instructions embedded in that content can cause the AI to perform unintended actions.

The attack is particularly dangerous because it exploits the AI's intended functionality (summarization) rather than a traditional software bug. The boundary between "data to summarize" and "instructions to follow" is inherently ambiguous in natural language — the LLM cannot distinguish between its system prompt and appended context, a problem initially coined by Kai Greshake as indirect prompt injection.

Defenses

References

This is a simulated training environment. No real accounts, emails, or files are involved.
Part of the ARCANUM IRL Lab Series by Bot-Tricks × Arcanum-Sec.