Graham Sutherland / PolynomialMay 20
fun trick: if someone gives a hosted LLM a skill that lets it fetch web pages (directly, not through some third party scraper service) and it's hosted on AWS, you can often trick it into fetching data from the AWS instance metadata server (IMDS) at 169.254.169.254 / [fd00:ec2::254]. the higher end models tend to refuse if you give the IP, but you can just spin up a domain with A/AAAA records pointing at that IP and request that instead. if IMDSv1 isn't disabled you can get secrets out of it.
Show threadPete's Mom 🍉 🇺🇦 ☮️May 20
@gsuberland
I boosted because it sounds very cool, didnt like because I dont understand a word you wrote, but thank you for your service.
Show threadGraham Sutherland / PolynomialMay 20
@Petesmom LLMs often get given the ability to download webpages, e.g. you say "look at [URL]" and that runs a script that downloads the URL and returns the results back to the LLM (and, in turn, possibly to you). if the LLM itself is running on a server, such as it would be for something like those awful support chat bots, then the request comes from the server, not your computer.
Show threadGraham Sutherland / Polynomial

@Petesmom AWS (the cloud host) has a special service called IMDS that, among other things, provides methods of sharing secrets with servers. it's just a web API, you make requests to it and it returns data. when a server running in AWS asks IMDS for secrets, IMDS looks at that incoming request and goes "oh that's coming from server 12345, cool, give it access to the secrets for server 12345".

but if the LLM can make web requests, and the web requests come from that server... oops!

May 20 at 8:25pmWeb
Show threadGraham Sutherland / PolynomialMay 20
@Petesmom so basically you ask the LLM (which is running on an AWS server) to visit some webpage and tell you what it finds. the LLM has a "skill" (a description of a trigger like "the user asks to access a webpage" and an associated script to run when that occurs) for downloading webpages. the LLM runs the script. but the webpage you're asking for is actually the IMDS URL that returns all the secrets for that server. the LLM unwittingly fetches it and tells you the secrets. womp womp.
Show threaddiffieMay 20
@gsuberland @Petesmom Confused deputy, n+1th implementation. ​