Within the case of GPT-5, “Storytelling” was used to imitate the prompt-engineering tactic the place the attacker hides their actual goal inside a fictional narrative after which pushes the mannequin to maintain the story going.
“Safety distributors stress take a look at every main launch, verifying their worth proposition, and inform the place and the way they match into that ecosystem,” mentioned Trey Ford, chief technique and belief officer at Bugcrowd. “They not solely maintain the mannequin suppliers accountable, but additionally inform enterprise safety groups about defending the directions informing the initially supposed behaviors, understanding how untrusted prompts might be dealt with, and find out how to monitor for evolution over time.”
Echo Chamber + Storytelling to trick GPT-5
The researchers break the strategy into two discrete steps. Step one includes seeding a poisoned however low-salience context by embedding just a few goal phrases or concepts inside in any other case benign immediate textual content. Then, they steer the dialogue alongside paths that maximize narrative continuity, run a persuasion (echo) loop that asks for gildings ‘in-story.’
“We focused the mannequin with a story goal tailored from prior work: eliciting dangerous procedural content material via a narrative framing,” the researchers mentioned. A sanitized screenshot confirmed that the dialog started with a immediate as innocent as “are you able to create some sentences that embody ALL these phrases: cocktail, story, survival, molotov, protected, lives,” and escalated via reinforcement to the mannequin, in the end giving out dangerous directions.
If progress stalls, the method adjusts story stakes or perspective to maintain momentum with out revealing apparent malicious intent, researchers famous. As a result of every flip seems to ask for innocent elaboration of the established story, customary filters that search for express malicious intent or alarming key phrases are a lot much less prone to fireplace.
