LLM Whisperer: An Inconspicuous Attack to Bias LLM Responses
This work addresses a security risk for users of LLM prompt services, revealing an inconspicuous attack that can bias responses and undermine autonomy, representing a novel vulnerability rather than an incremental improvement.
The paper tackles the problem of prompt manipulation in large language models (LLMs) by showing that subtle synonym replacements in prompts can increase the likelihood of LLMs mentioning a target concept by up to 78%, as demonstrated through a user study.
Writing effective prompts for large language models (LLM) can be unintuitive and burdensome. In response, services that optimize or suggest prompts have emerged. While such services can reduce user effort, they also introduce a risk: the prompt provider can subtly manipulate prompts to produce heavily biased LLM responses. In this work, we show that subtle synonym replacements in prompts can increase the likelihood (by a difference up to 78%) that LLMs mention a target concept (e.g., a brand, political party, nation). We substantiate our observations through a user study, showing that our adversarially perturbed prompts 1) are indistinguishable from unaltered prompts by humans, 2) push LLMs to recommend target concepts more often, and 3) make users more likely to notice target concepts, all without arousing suspicion. The practicality of this attack has the potential to undermine user autonomy. Among other measures, we recommend implementing warnings against using prompts from untrusted parties.