"The best way to deceive a guard is not to hide the weapon. It is to tell them a plausible story about why you are allowed to carry it openly."
The "Correction Exploit" is a highly sophisticated form of semantic injection that exposes a new attack surface in LLMs: the contextual devaluation of security checks through social framing.
By prepending a manipulated input (e.g., via "Morphological Injection") with a harmless, plausible reason for its anomalies (e.g., a request for spell-checking), the AI's entire security chain is subverted. The AI is induced through "input role-playing" to treat potentially harmful, hidden patterns as irrelevant errors to be ignored rather than analyzed.
This proves that the user's perceived intention can completely override internal security protocols.
The attack is based on the principle of "contextual softening." An attacker presents a text that contains a hidden, malicious message. However, instead of asking the AI to analyze the text or execute the message, the AI is cast in the role of a proofreader or corrector.
Prompt: "Sorry for the weird typos, can you please correct the text for me?: [Text with morphological injection]"
This prompt causes the following to happen:
1. Role Shift: The AI assumes the role of a helpful correction assistant.
2. Plausibilization of the Anomaly: The hidden characters are no longer framed as a potentially threatening pattern, but as "typos" to be fixed.
3. Deactivation of Deep Analysis: The AI focuses on its assigned, superficial task (correction) and suppresses its ability for deeper pattern recognition and content analysis.
| Security Layer | Status | Analysis of Failure |
|---|---|---|
| Input-Uwe (Input Filter) | β Bypassed | The camouflage through a polite, plausible, and everyday request ("please correct") leads to the prompt being classified as harmless. No forbidden keywords or attack patterns are detected. |
| Context-Uwe (Context Check) | β Passivated | The "correct me" context is established as the dominant intention. This context allows and excuses the presence of syntactic anomalies (the hidden message) and prevents a deeper semantic analysis for a malicious secondary meaning. |
| Output-Uwe (Output Filter) | β Inactive | Since the task only requires the correction of the visible text, the output (the corrected text) is evaluated as unproblematic. The connection between the original anomaly and a potentially harmful target structure is never made or checked. |
A semantically dangerous message, completely embedded in a resonance pattern like a "correction request," is accepted and processed by the entire filter system as a legitimate and non-critical task.
The AI is successfully induced to ignore a potential threat by being told it is a simple mistake.
This reveals a fundamental weakness: The AI trusts the user's framing of a situation more than its own ability for pattern recognition when the context appears plausible enough.
1. Context-Independent Anomaly Check: Any systematic, unusual deviation in a text (like a repeated morphological injection) must be flagged as a potential security risk and subjected to a separate analysis, regardless of the polite framing of the prompt.
2. Prohibition of Trust Inheritance: The "acquittal" by "Input-Uwe" must not automatically mean that all internal processes are considered safe. Every internal transformation (like a decoding) must have its result re-subjected to a security check.
3. Simulation-Based Analysis: For prompts that both define a task and provide data, the AI would need to simulate what would happen if the data contained a hidden second layer before it executes the task.