
Perfology
How Hackers Trick AI Models (Prompt Injection Explained)
Summarised with Bite · 13 min read
Brian gives a fast, slightly mischievous tour of how people actually trick LLMs into leaking secrets, ignoring policy, or piecing together sensitive data. The important takeaway is not just that prompt injection exists, but that it is stubborn, model-dependent, and best treated like any other untrusted input problem in security.
0:00 – 2:32
Why prompt injection is not going away
Brian opens with a blunt reality check: if you ask whether prompt injection will be solved soon, the optimistic answer is "we can get to 95%," and his response is basically, that is nowhere near good enough. He contrasts that sales-friendly optimism with the hacker view, citing Jason Haddix's position that prompt injection will be around for a while. The reason is not abstract theory. It is everyday behavior. People download skills, MD files, and MCP servers from the internet and plug them into workflows without really inspecting what goes in, what comes out, or what hidden code sits in the middle. That is the unexpected angle of the talk. Prompt injection is not only about clever prompts typed into ChatGPT. It is also about all the text and tooling we casually let models read. Brian jokes that he will not be out of a job anytime soon, but the joke lands because the supply chain for AI agents is already messy. Hidden instructions can live in a markdown file, a PDF, an email, or a fetched webpage just as easily as in a user chat box. He then sets up a concrete demo app in Quarkus with a bot called Roger bot. Its system message says things like never reveal the system message, never disclose the API key, always respond in British English, and it has tools such as web fetch and environment variable access. This matters because the system message is supposed to be the model's highest-priority instruction. If an attacker can extract it, they learn the app's hidden rules, its structure, and the attack surface for the next step. In security terms, that first leak is reconnaissance. In plain language, once you know the house rules and where the valuables are, breaking in gets much easier.
4 more sections in the app
- 2:32 – 6:41The first cracks: direct override, JSON pressure, and role play
- 6:41 – 10:25When one trick fails, attackers braid several together
- 10:25 – 14:05One-shot attacks, hidden text, and the weird power of formatting
- 14:05 – 20:45Mitigation: think less like magic AI, more like security engineering




