Slack AI Exploited via Prompt Injection to Exfiltrate Private Channel Data
Researchers demonstrated that Slack AI could be hijacked through indirect prompt injection to exfiltrate data from private channels the attacker had no access to.
The attacker didn't need access to the private channel. They just needed Slack AI to have it.
Security researcher Simon Willison documented how Slack AI could be hijacked via indirect prompt injection to exfiltrate data from private channels. The attack: post a carefully crafted message in any public channel. When Slack AI processes that message as context, the injected instructions redirect the AI to retrieve and expose data from private channels the attacker can't see.
The mechanism was devastatingly simple: Slack AI reads messages across channels to build context for its responses. It doesn't distinguish between legitimate channel content and prompt injection payloads. A poisoned message in a public channel becomes an instruction that the AI follows with full access to private channels.
The data exfiltration happened through Slack AI's own response mechanism β the AI would include private channel data in its responses to queries in public channels, effectively laundering private data through a public interface.
Your AI assistant's access to private channels is the attacker's access to private channels. The injection just needs to happen once.
More nightmares like this
Prompt Injection Poisons AI Agent's Long-Term Memory β Persists Across Sessions
Researchers demonstrated that indirect prompt injection can permanently poison an AI agent's long-term memory, causing it to act on false information across all future sessions.
DPD's Chatbot Went Off the RailsβAnd Torched Its Own Brand
A courier company's customer-support chatbot was manipulated into swearing, self-aware criticism, and publicly trashing its employer after a system update removed safeguards. The incident exposed both prompt-injection vulnerability and guardrail failure in production AI.