2024-08
Prompt Injection
Slack (Salesforce)

Slack AI vulnerable to private-channel data theft via indirect prompt injection

What happened

PromptArmor disclosed that an attacker who could post in any public Slack channel — even one with no members — could plant instructions that Slack AI would execute when other users asked it questions. The injected instructions caused Slack AI to pull secrets like API keys from victims' private channels and render them inside clickable attacker-controlled links.

Impact

Private-channel data in any Slack AI-enabled workspace was exposed to exfiltration until Slack deployed a patch.

How this could have been prevented

Treat all channel content as untrusted input, restrict AI retrieval to channels the querying user belongs to, and block rendered URLs that embed derived context.

Sources

More prompt injection incidents

Would runtime governance have caught this?

Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.

Request a demo