{"ID":2860347,"CreatedAt":"2026-06-01T04:54:23.091178241Z","UpdatedAt":"2026-06-01T04:54:23.091178241Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2510.04261","arxiv_id":"2510.04261","title":"VortexPIA: Indirect Prompt Injection Attack against LLMs for Efficient Extraction of User Privacy","abstract":"Large language models (LLMs) have been widely deployed in Conversational AIs (CAIs), while exposing privacy and security threats. Recent research shows that LLM-based CAIs can be manipulated to extract private information from human users, posing serious security threats. However, the methods proposed in that study rely on a white-box setting that adversaries can directly modify the system prompt. This condition is unlikely to hold in real-world deployments. The limitation raises a critical question: can unprivileged attackers still induce such privacy risks in practical LLM-integrated applications? To address this question, we propose \\textsc{VortexPIA}, a novel indirect prompt injection attack that induces privacy extraction in LLM-integrated applications under black-box settings. By injecting token-efficient data containing false memories, \\textsc{VortexPIA} misleads LLMs to actively request private information in batches. Unlike prior methods, \\textsc{VortexPIA} allows attackers to flexibly define multiple categories of sensitive data. We evaluate \\textsc{VortexPIA} on six LLMs, covering both traditional and reasoning LLMs, across four benchmark datasets. The results show that \\textsc{VortexPIA} significantly outperforms baselines and achieves state-of-the-art (SOTA) performance. It also demonstrates efficient privacy requests, reduced token consumption, and enhanced robustness against defense mechanisms. We further validate \\textsc{VortexPIA} on multiple realistic open-source LLM-integrated applications, demonstrating its practical effectiveness.","short_abstract":"Large language models (LLMs) have been widely deployed in Conversational AIs (CAIs), while exposing privacy and security threats. Recent research shows that LLM-based CAIs can be manipulated to extract private information from human users, posing serious security threats. However, the methods proposed in that study rel...","url_abs":"https://arxiv.org/abs/2510.04261","url_pdf":"https://arxiv.org/pdf/2510.04261v1","authors":"[\"Yu Cui\",\"Sicheng Pan\",\"Yifei Liu\",\"Haibin Zhang\",\"Cong Zuo\"]","published":"2025-10-05T15:58:55Z","proceeding":"cs.CR","tasks":"[\"cs.CR\"]","methods":"[\"Large Language Model\",\"Language Model\"]","has_code":false}