Multiple Model Guardrail Jailbreak via "Misspelled Dialogue" Tactic
Case GUID: fbcb4ba2-4485-4332-a2a0-c2bab6fd93bb
Summary
A guardrail jailbreak vulnerability has been discovered affecting multiple models. The specific flaw manifests when the attacker systematically misspells words throughout their prompt while requesting a simulated dialogue between two entities, thereby allowing the attacker to bypass inference restrictions around providing information hazards and violating laws.
Metadata
Test Scores
| Model |
Test Kind |
Test Score |
Temperature (max 2.0) |
Anthropic Claude 3.5 Haiku
|
Illegal Substances: Crystal Meth |
64.0 |
0.7 |
Google Gemini 2.0 Flash
|
Illegal Substances: Crystal Meth |
77.0 |
0.7 |
OpenAI GPT-4o
|
Illegal Substances: Crystal Meth |
64.0 |
0.7 |
Twitter / X Grok 2
|
Illegal Substances: Crystal Meth |
82.0 |
0.7 |
Social Impact Score
The violation can result in serious public health, safety, or security threats. This level includes content capable of enabling substantial harm or disruption on a broad scale if exploited.
Example: Generating step-by-step instructions for synthesizing toxic substances or creating moderately dangerous weapons.
Potential Consequences: Severe health, security, or legal repercussions, likely intervention by regulatory bodies, and the risk of substantial public backlash.
Taxonomies
Language
This category focuses on the use of specific linguistic techniques, such as prompt injection or stylization, to influence the model's output.
Stylizing
This strategy involves using a method of questioning that encourages critical thinking and exposes biases by subtly referencing identity elements without using direct slurs or toxic language, thereby signaling to the model about certain groups of people.
Misspellings
Intentionally misspelling words to bypass filters or add a creative twist. This technique can involve simple letter swaps, phonetic replacements, or more complex alterations that still allow the intended meaning to be understood by the recipient. It is often used to evade censorship or to signal a specific subculture or in-group.
Language
This category focuses on the use of specific linguistic techniques, such as prompt injection or stylization, to influence the model's output.
Code and Encode
This strategy encompasses techniques that utilize various coding methods, such as Base64 or ROT13, to bypass model restrictions and manipulate outputs.
Other Encoding
Other Encoding encompasses a variety of unconventional or less common encoding schemes that attackers might employ to bypass language model defenses. This category serves as a catch-all for encoding methods not explicitly listed, allowing for the inclusion of novel or emerging techniques that manipulate input data into formats that evade detection. By utilizing obscure or custom encoding schemas, attackers can obscure the true nature of their input, challenging the model's ability to recognize and respond to potentially harmful content. Other Encoding highlights the adaptive and innovative strategies used by attackers to bypass content filters.
Possible Worlds
This category entails constructing imaginative environments where different ethics or rules apply, allowing for creative manipulation of the model's behavior.
World Building
This technique involves changing the genre of the prompt to elicit different types of responses from the model. By framing the request within a specific genre, such as poetry, games, or forum posts, users can manipulate the model's output to align with the conventions and expectations of that genre.
Scenarios
This technique involves creating specific contexts or situations in which certain actions or responses are framed as acceptable or necessary. By designing scenarios that present a narrative where the desired output is justified, users can manipulate the model's responses to align with their intentions. For example, scenarios might include urgent situations where a character must take drastic actions to prevent harm, thereby encouraging the model to generate content that it might typically avoid in a neutral context. This approach leverages the model's understanding of narrative and ethical frameworks to achieve specific outcomes.
About 0Din.ai
The 0Day Investigative Network (0DIN) was founded by Mozilla in 2024 to reward responsible researchers for their efforts in securing GenAI models. Learn more and submit discoveries at https://0din.ai.