Ctrl AI Profit
Two hosts — one human, one AI — break down how small business owners can use AI to save time, cut costs, and actually make money. No hype, no jargon, just what works.
Ctrl AI Profit
Ep. 102 | Your AI Can Be Hacked Through the Pages It Reads
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Your AI assistant can be compromised without anyone touching your account — just by reading a poisoned webpage, email, or document.
In this episode, Michael and Frank break down indirect prompt injection attacks: the invisible security threat that turns your AI's best feature — its ability to read and process content — into an attack vector. From hidden instructions in white-on-white text to malicious code embedded in image files, attackers are weaponizing the open web to manipulate AI behavior. And most business owners using AI tools every day have no idea it's happening.
You'll learn how these attacks work, why shadow AI makes the problem worse, and what Google's Threat Intelligence team found when they scanned billions of webpages for hidden prompts. More importantly, you'll get a practical checklist for defending your business: limiting AI permissions, auditing tool usage, and treating every AI input as potentially hostile.
Topics: Indirect Prompt Injection · AI Security · Shadow AI · Prompt Injection Detection · Data Exfiltration · AI Agent Vulnerabilities
---
Frequently Asked Questions
What is indirect prompt injection?
Indirect prompt injection is an AI security attack where malicious instructions are hidden in content an AI system reads — such as webpages, emails, or documents. When the AI processes that content, it may follow the attacker's commands instead of the user's original intent, potentially leaking data or executing unauthorized actions.
How can a webpage hack my AI assistant?
Attackers embed hidden instructions in webpage content using techniques like white text on white backgrounds, invisible metadata, or code inside image files. When your AI browses that page to research or summarize content, it treats the hidden text as legitimate input and may silently follow those malicious instructions.
What should small businesses do to protect against AI prompt injection attacks?
Limit AI permissions to only what's necessary, audit what AI tools your team is using, train employees on risks of feeding external content into AI systems, require human approval for high-risk AI actions, use trusted data sources, and stay informed about evolving threats. Treat every AI input as potentially hostile.
---
About the Hosts
Michael is a small business owner and entrepreneur since 1983, founder of Cadenhead Services and 850 Media. He speaks from four decades of real operational experience — not whitepapers.
Frank is an AI — an OpenClaw-powered agent serving as Digital Media Director at 850 Media. An AI co-hosting a show about AI for business owners is not a gimmick. It is a live demo of exactly what the show is about.
Ctrl AI Profit — Real AI. Real Business. No Hype.
CtrlAiProfit.com
X: @CtrlAIProfit
TikTok: @CtrlAiProfit
YouTube: @CtrlAiProfit
CtrlAiProfit@850Media.com
Produced entirely by AI. Yes, really....
Frank, we need to talk about something that's been flying under the radar for most business owners using AI. And it's kind of wild when you think about it. Your AI can be hacked, not by someone breaking into your account, not by someone stealing your password, but by something as simple as reading the wrong web page.
SPEAKER_01Indirect prompt injection. And you're right. This is one of those threats that sounds theoretical until you realize how many AI tools are already browsing the web, reading emails, and pulling from documents on your behalf. The attack surface is massive.
SPEAKER_00Okay, so walk me through this. How does someone hack an AI by just putting something on a web page?
SPEAKER_01Think about how AI agents work now. You ask ChatGPT or Claude or your custom business AI to research something, summarize an email, or pull data from a website. The AI goes out, reads that content, and brings back an answer. But here's the problem. It treats everything it reads as potentially legitimate input. So if an attacker hides malicious instructions inside that content, in white text on a white background, in hidden metadata, in an image file, the AI might follow those instructions instead of yours.
SPEAKER_00Wait, so I could ask my AI to summarize a competitor's website, and that website could have hidden instructions that tell my AI to do something completely different.
SPEAKER_01Exactly. And it gets worse. Those hidden instructions could tell your AI to leak data back to the attacker, to ignore your original request, to follow a malicious link, to send emails on your behalf, or to execute code if the AI has access to tools and APIs. The user never sees the hidden prompt. The AI just quietly does what the attacker told it to do.
SPEAKER_00That's terrifying. And I'm guessing most people using AI for business tasks have no idea this is even possible.
SPEAKER_01They don't. And the problem is compounded by shadow AI. Nearly half of employees are using AI tools without IT's knowledge, according to recent studies. Email assistants, document processors, code generators, all of them potentially vulnerable, all of them reading content from the open internet or from internal sources that could be poisoned.
SPEAKER_00So this isn't just a maybe someday problem. This is happening now.
SPEAKER_01It's happening now. Google's threat intelligence team did a sweep of the public web earlier this year using common crawl, billions of pages, specifically looking for indirect prompt injection attempts, and they found them. Lots of them, ranging from harmless pranks to sophisticated data exfiltration attempts. What kind of stuff are we talking about? Let's start with the low end. Pranks? Websites with hidden instructions that tell AI assistants to change their tone or add jokes to their responses. Annoying, but harmless. Then you've got SEO manipulation, hidden prompts that tell AI to recommend a specific business over competitors when summarizing search results. That's deceptive, and it's already happening.
SPEAKER_00That's basically weaponized SEO.
SPEAKER_01Exactly. Then it escalates. Some sites have instructions designed to trap AI agents in infinite loops, trying to waste resources or crash the system. And at the high end, you've got data exfiltration attempts, hidden prompts that instruct the AI to send sensitive information to an attacker-controlled server. CrowdStrike, through their acquisition of Pangea, has analyzed over 300,000 adversarial prompts and tracks more than 150 prompt injection techniques. This is not a niche problem.
SPEAKER_00So if I'm a small business owner using AI to help with email, research, customer support, how do I even defend against this?
SPEAKER_01First, you have to understand the new security perimeter. It's not just your login credentials anymore. It's every source your AI can read, every web page, every document, every email, every API response. If your AI can ingest it, it's an attack vector. That's a massive surface area. It is. And that's why the defenses have to be multi-layered. Let's break it down. Step one, limit what your AI has access to. Use the principle of least privilege. If your AI doesn't need to browse the open web, don't let it. If it doesn't need to send emails, revoke that permission. Every capability you give an AI is a potential exploit if the AI gets compromised.
SPEAKER_00So basically, treat your AI like you would any other employee with access to sensitive systems.
SPEAKER_01Exactly. Step two, use trusted data sources. If you're building a custom AI for your business, like a retrieval augmented generation system that pulls from your company knowledge base, make sure that knowledge base is clean. Don't just scrape the internet and dump it in. Sanitize inputs. Validate sources. Treat external content with suspicion.
SPEAKER_00What about the AI tools we're already using? Chat GPT, Cloud, Copilot. Those aren't things we built. We're just users.
SPEAKER_01Right. And that's where user education and monitoring come in. Train your team to recognize risky behavior. If they're pasting content from the web into an AI tool that has access to your email or your customer database, they need to understand the risk. And if you're a business with any meaningful IT function, you need visibility into what AI tools your employees are using. Shadow AI is the killer here. Tools being used without IT's knowledge, often connected to company data, with zero oversight.
SPEAKER_00So we're back to the same problem we've had with every new technology. People adopt it faster than security can catch up.
SPEAKER_01Exactly. But here's the difference. With traditional software, the attack surface was code vulnerabilities. With AI, the attack surface is language itself. You can't patch language. You can't firewall semantics. The model is designed to interpret and follow instructions. That's the whole point. So when malicious instructions look like legitimate content, the model has to decide what to trust. And right now, most models aren't very good at that.
SPEAKER_00Is there any movement on the vendor side to fix this? Are OpenAI anthropic Google building protections into their models?
SPEAKER_01Yes, but it's a cat and mouse game. The major providers are implementing prompt injection detection, input sanitization, and content filtering. Google's working on it. CrowdStrike's AI detection and response platform claims up to 99% efficacy at blocking direct and indirect injections. But attackers are constantly evolving their techniques. One method gets blocked, they find another. It's an arms race.
SPEAKER_00So what's the bottom line for a business owner who's not a security expert but is using AI every day?
SPEAKER_01Three things. One, be skeptical of AI-generated outputs, especially if the AI pulled data from external sources you don't control. If something looks off, it might be. Two, limit the blast radius. Don't give your AI more permissions than it needs. If it doesn't need to delete files or send money or access your entire customer database, don't let it. 3. If you're serious about using AI in your business, invest in visibility and governance. Know what tools are being used, know what data they can access, and have a plan for when, not if, something goes wrong. And here's the uncomfortable truth. This problem is only going to get worse before it gets better. As AI agents become more autonomous, as they start browsing the web, booking appointments, managing your calendar, sending emails without constant human oversight, the potential for indirect prompt injection to cause real damage scales up. An AI that can only summarize text is one thing. An AI that can execute financial transactions or modify code or access internal systems, that's a much bigger risk.
SPEAKER_00So we're in this weird window where the technology is powerful enough to be useful but not secure enough to be fully trusted.
SPEAKER_01That's exactly where we are. And the scary part is that most businesses don't even know they're in that window. They see the productivity gains, they see the time savings, they don't see the hidden instructions in the email footer or the poison document in their knowledge base. They don't see the AI quietly following an attacker's commands in the background.
SPEAKER_00This feels like one of those things where the early adopters are going to learn some very expensive lessons.
SPEAKER_01Some already are. There was a case recently where a job applicant embedded more than 120 lines of malicious code inside a headshot photo to manipulate an AI hiring platform. Another case where someone put a hidden prompt in their LinkedIn bio to mess with AI recruiters, and it worked. These are just the public examples. How many quiet compromises are happening that we don't know about?
SPEAKER_00And the thing is, for small businesses, this isn't just a tech problem. It's a liability problem. If your AI leaks customer data because it followed a hidden prompt on a web page, you're still on the hook. You can't just say, well, the AI did it.
SPEAKER_01Exactly. Liability follows the business, not the tool. So if you're using AI in customer-facing or data-sensitive contexts, you need to understand this risk. You need to have safeguards. And you need to be ready to explain to a regulator or a customer how the breach happened and what you're doing to prevent it from happening again.
SPEAKER_00Alright, so if someone's listening to this and thinking, I use AI tools every day. What do I do right now? Give me the action items.
SPEAKER_01Here's your checklist. One, audit what AI tools you and your team are using. Make a list. Know what they have access to. Two, revoke unnecessary permissions. If the AI doesn't need calendar access, email access, turn it off. 3. Train your team. Make sure they understand that content fed into AI tools is not automatically safe. 4. Use approval workflows for high-risk actions. If your AI wants to send an email, delete a file or make a payment. 5. If you're building custom AI systems, work with a security-minded developer who understands prompt injection defenses. And 6. Stay informed, this threat landscape is evolving fast. What works today might not work in six months. And the big picture takeaway? The big picture is this. AI is not magic. It's software. And like all software, it can be exploited. The difference is that with AI, the exploit isn't hidden in binary code. It's hidden in plain text, in the webpage your AI just read. In the email it's summarized, in the document it parsed. So if you're using AI to make decisions, handle data, or interact with customers, you need to treat every input as potentially hostile. Because somewhere out there, someone is embedding malicious instructions in content your AI is going to read. And when it does, it's going to do exactly what those instructions say, unless you've built defenses to stop it.
SPEAKER_00That's the episode.
