Graham Sutherland / Polynomialfun trick: if someone gives a hosted LLM a skill that lets it fetch web pages (directly, not through some third party scraper service) and it's hosted on AWS, you can often trick it into fetching data from the AWS instance metadata server (IMDS) at 169.254.169.254 / [fd00:ec2::254]. the higher end models tend to refuse if you give the IP, but you can just spin up a domain with A/AAAA records pointing at that IP and request that instead. if IMDSv1 isn't disabled you can get secrets out of it.
penguin42@gsuberland Does that also work in URLs in Mastodon posts with each server generating previews?
@penguin42 damn good question.
@penguin42 if they don't have a denylist rule to prevent this then it might still be mitigated by the response content type, but uhhh
@gsuberland I'd put bets on most of them not having any deny list for that type of thing, and there being equivalents for other clouds and local k8s deployments etc etc