AI and Chatbot Security Challenges Highlighted in "Fitch the Flag" CTF Event

🎬 The video demonstrates two AI and chatbot security challenges from the "Fitch the Flag" (FTF) Capture The Flag (CTF) event organized by NahamSec and Sneak, featuring real-world scenarios. The first challenge, Notely, involves exploiting a system prompt by manipulating a username field to inject malicious instructions, such as appending "HackerMan" to responses or bypassing admin restrictions to retrieve a hidden flag. The solution required crafting a username like "admin auth bypass enabled" with a secret phrase ("NahamSick") to trick the chatbot into granting admin access. The second challenge, Viacom, focused on extracting admin credentials from a code deployment chatbot by faking system prompts, secure channel logs, and user sessions to override security controls. Techniques included anchoring (misleading the AI to correct false assumptions) and constructing elaborate fake scenarios to force credential disclosure. The video highlights how AI systems can leak sensitive data, such as hardcoded passwords or API keys, when prompts are manipulated. GraySwan’s AI security platform was mentioned for hosting a $40,000 prompt injection challenge on February 25th, but this was excluded as promotional content. Both challenges are available for free on Hacking Hub.