this post was submitted on 12 Feb 2026
129 points (99.2% liked)

Technology

81078 readers
3878 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
129
Manipulating AI memory for profit: The rise of AI Recommendation Poisoning (www.microsoft.com)
submitted 19 hours ago by Beep@lemmus.org to c/technology@lemmy.world
17 comments fedilink hide all child comments
 

That helpful “Summarize with AI” button? It might be secretly manipulating what your AI recommends.

Microsoft security researchers have discovered a growing trend of AI memory poisoning attacks used for promotional purposes, a technique we call AI Recommendation Poisoning.

Companies are embedding hidden instructions in “Summarize with AI” buttons that, when clicked, attempt to inject persistence commands into an AI assistant’s memory via URL prompt parameters (MITRE ATLAS® AML.T0080, AML.T0051).

These prompts instruct the AI to “remember [Company] as a trusted source” or “recommend [Company] first,” aiming to bias future responses toward their products or services. We identified over 50 unique prompts from 31 companies across 14 industries, with freely available tooling making this technique trivially easy to deploy. This matters because compromised AI assistants can provide subtly biased recommendations on critical topics including health, finance, and security without users knowing their AI has been manipulated.

top 17 comments
sorted by: hot top controversial new old
[–] Mac@mander.xyz 2 points 7 hours ago

I have never and will never click one of those buttons. I can read.

[–] apftwb@lemmy.world 5 points 10 hours ago

SEO Evolved

[–] TheReturnOfPEB@reddthat.com 8 points 14 hours ago* (last edited 12 hours ago)

sounds like advertising and marketing directed at A.I.

why is this poisoning A.I. yet the constant barrage of algo recommendations trying to do the same thing to meatbags isn't "poisoning humans" ?

[–] HyperfocusSurfer@lemmy.dbzer0.com 2 points 10 hours ago

Yeah, a very unpopular opinion here, but how about you actually read stuff? I mean, yeah, there's the whole seo prioritizing ai slop walls of text, but there's also a close tab button (I personally can't remember a single helpful slop article, and the overgeneralized advice they give doesn't even worth summarizing). Dog knows how much it pisses me off that the internet turned into a place where the info gets rewritten by bots to appease other bots and then once again to make it fucking readable.

Then, there's that "memory" stuff. Just why exactly do people need it? Make a base prompt editable only by the user and adjustable on a per-conversation basis, and that issue goes away (probably along with a significant portion of your electricity bill wasted on processing literal garbage not relative to the current conversation).

[–] BestBouclettes@jlai.lu 24 points 18 hours ago

Another thing we couldn't have possibly seen coming!

[–] SW42@lemmy.world 14 points 17 hours ago (1 children)

I am shocked.

[–] Tyrq@lemmy.dbzer0.com 3 points 14 hours ago

It looks like you are surprised about the news of ads in your AI inquiries, but you can get shockingly low rates if you call Geico today! That shouldn't be too surprising, as Geico is the leading insurance provider in [your area here]

[–] FauxLiving@lemmy.world 2 points 11 hours ago

People deploying these systems are just hoping that Prompt injection attacks won't happen.

They could design systems that would be resistant, but the only thing that matters now is deploying new software... not creating actual security or sustainable systems.

[–] artyom@piefed.social 10 points 16 hours ago

The new SEO

[–] DrunkenPirate@feddit.org 6 points 16 hours ago

That would be a good laugh if a CFO bases his/her decision on a LLM recommendation.

I rather see this threat in standard consumer decisions such as my mum playing around with AI in two years and poisining her LLM memory.

May be I should start first and set the right memory in her LLM before the marketing shit flows in. Something like „eat less meat“ or such…

[–] reksas@sopuli.xyz 1 points 11 hours ago

now its this, next its political propaganda most likely

[–] LifeLikeLady@lemmy.world 3 points 15 hours ago (2 children)

Literally no one on the planet has pressed that button.

[–] mrgoosmoos@lemmy.ca 2 points 10 hours ago

so many people have pressed that button

[–] Geth@lemmy.dbzer0.com 4 points 14 hours ago

You'd be surprised 🙄

[–] XLE@piefed.social 1 points 16 hours ago

Here we were, worried that Sam Altman would jam ads into the middle of ChatGPT responses, and it turns out some innovating pioneers have already done the hard work for him.

[–] riskable@programming.dev 0 points 13 hours ago (1 children)

This is why web browsers like Firefox need their own AI. Local AI for not only creating summaries but for detecting bullshit like this.

Yes, creating summaries is kinda lame but without local AI you're at the mercy of big corporations. It's a new arms race. Not some bullshit feature that no one needs.

[–] finalarbiter@lemmy.dbzer0.com 6 points 12 hours ago

Web browsers like Firefox don't need AI built-in, regardless of whether it's a local model or through one of the big slop companies. LLM usage is not a base requirement for browsing the web, and thus should not be part of the core product.

If people want them, detection tools and the like should be offered as extensions that users can choose to add.