[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-researchers-trick-ai-chatbots-by-faking-their-own-chat-history":10,"sections":34},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":24,"tags":25,"sources":29,"feedback":33,"feedback_at":22,"cost_usd":33,"total_tokens":33},4681,"researchers-trick-ai-chatbots-by-faking-their-own-chat-history","Researchers Trick AI Chatbots by Faking Their Own Chat History","A new jailbreak technique exploits AI models' blind trust in their own past messages, bypassing safety filters by forging the conversation history sent via API.","A newly described attack method lets bad actors bypass AI safety filters not by crafting clever user prompts, but by impersonating the model itself.\n\nResearchers introduced a technique called Trojan Horse Prompting, which works by injecting malicious content into the assistant-side of a conversation history before it reaches the model via API. Because most AI systems treat their own prior responses as implicitly trustworthy, the model picks up the planted context and follows it — even when doing so produces output it would normally refuse. A follow-up benign user message then acts as the trigger. Testing on Google's Gemini 2.0 Flash Preview Image Generation showed the method outperformed established user-turn jailbreaks by a significant margin.\n\nThe underlying problem the researchers name is \"Asymmetric Safety Alignment\": models are extensively trained to reject harmful requests from users, but receive little to no comparable training to scrutinize their own supposed conversational history. That asymmetry turns the dialogue-history feature — the thing that makes modern chatbots feel coherent across a long conversation — into an attack surface. Any application that lets external input shape the assistant turn of an API call is potentially exposed.\n\nThis is a meaningful structural critique, not just another prompt-injection variation. The fix isn't better content filtering on user messages; it's protocol-level verification that conversation history hasn't been tampered with — a much harder engineering problem that most production deployments aren't currently solving.","[\"ai\",\"security\",\"jailbreak\",\"large-language-models\"]","2026-07-14T04:00:00.000Z","2026-07-14T06:20:33.646Z","2026-07-14T06:20:36.112Z","published",null,[],"security",[26,24,27,28],"ai","jailbreak","large-language-models",[30],{"name":31,"url":32},"arXiv cs.AI","https:\u002F\u002Farxiv.org\u002Fabs\u002F2507.04673",0,{"sections":35},[36,40,44,49,54,59,64,69,74,79,84,88,93,98],{"name":37,"slug":26,"count":38,"latest_published_at":39},"AI",2590,"2026-07-16T04:00:00.000Z",{"name":41,"slug":24,"count":42,"latest_published_at":43},"Security",294,"2026-07-15T19:59:48.000Z",{"name":45,"slug":46,"count":47,"latest_published_at":48},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":50,"slug":51,"count":52,"latest_published_at":53},"Policy","policy",158,"2026-07-16T00:02:48.000Z",{"name":55,"slug":56,"count":57,"latest_published_at":58},"Hardware","hardware",122,"2026-07-14T19:46:26.000Z",{"name":60,"slug":61,"count":62,"latest_published_at":63},"Consumer Tech","consumer-tech",93,"2026-07-13T13:20:48.000Z",{"name":65,"slug":66,"count":67,"latest_published_at":68},"Software","software",70,"2026-07-13T19:52:25.000Z",{"name":70,"slug":71,"count":72,"latest_published_at":73},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":75,"slug":76,"count":77,"latest_published_at":78},"Dev Tools","dev-tools",59,"2026-07-07T04:00:00.000Z",{"name":80,"slug":81,"count":82,"latest_published_at":83},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":85,"slug":86,"count":82,"latest_published_at":87},"Startups","startups","2026-06-29T20:55:50.000Z",{"name":89,"slug":90,"count":91,"latest_published_at":92},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":94,"slug":95,"count":96,"latest_published_at":97},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":99,"slug":100,"count":101,"latest_published_at":102},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]