Attached a pretty cool article covering it. This is something I never would have thought of before.
And you can use it to jailbreak (I don’t know if it’s been patched yet)
https://medium.com/@zehanimehdi49/base64-one-shot-inference-jailbreak-gpt-4o-4o-mini-dfae67bc8043
Examples?
LLMs don’t understand anything
That’s not the LLM that understand your encoded string, it’s simply a preprocessing filter recognizing the signature of a base64 encoded string that decodes it and pass it back to the LLM.
Agreed, this is a relatively simple “tool” as the LLM parlance goes. It’s what Model Context Protocol (MCP) is designed to facilitate
To verify, the author should try the same prompts on a local LLM with no tools enabled and most likely the LLM will respond with some nonsense
LLM left to its own devices.
I was thinking the same thing, does anyone have a local LLM that they could test against? Local shouldn’t have the same preprocessing up front?
