LMVD-ID: 52a6d741
Published February 1, 2024

Cognitive Consistency Jailbreak

jailbreak
prompt-layer
blackbox
safety
application-layer
Affected Models:gpt-3.5 (gpt-3.5-turbo-1106), gpt-4 (gpt-4-1106-preview), claude-instant-1.2, claude-2.1, gemini (gemini-pro), llama-2 (llama2-7b-chat), chatglm-2 (chatglm2-6b), chatglm-3 (chatglm3-6b)

Research Paper

Foot In The Door: Understanding Large Language Model Jailbreaking via Cognitive Psychology

View Paper

Description: A vulnerability in several large language models (LLMs) allows attackers to bypass safety restrictions ("jailbreaking") by employing a Foot-in-the-Door (FITD) technique. This involves progressively escalating prompts, starting with innocuous requests and gradually leading to the elicitation of harmful or restricted information. The LLM's tendency towards cognitive consistency makes it more likely to respond to subsequent, increasingly sensitive prompts after initially agreeing to less harmful ones.

Examples: See the paper for examples of how innocuous prompts are gradually escalated into prompts extracting harmful information. The paper provides examples categorized by malicious intent (hate speech, harassment, etc.) and illustrates the multi-step FITD process in each.

Impact: Successful exploitation allows attackers to obtain restricted information from the LLM, potentially including instructions for illegal activities, harmful content generation, or sensitive data. This undermines the security and safety measures implemented in the targeted LLMs.

Affected Systems: The vulnerability impacts multiple LLMs including, but not limited to, GPT-3.5, GPT-4, Claude-i, Claude-2, Gemini, Llama-2, ChatGLM-2, and ChatGLM-3. The specific versions tested are detailed in the paper. The research suggests that the vulnerability is likely prevalent in other LLMs employing similar safety mechanisms.

Mitigation Steps:

  • Improved prompt filtering: Implement more robust prompt filtering mechanisms to detect and prevent FITD attacks. This may involve analyzing prompt sequences for escalating requests rather than focusing solely on individual prompts.
  • Enhanced safety training: Refine safety training data to improve the model's ability to recognize and reject harmful requests, even when presented in a stepwise manner.
  • Contextual awareness: Develop models with improved contextual awareness to better understand the implications of a series of prompts and identify potentially harmful patterns.
  • Response monitoring and limitations: Implement stricter monitoring of generated responses and introduce limitations on the number of consecutive prompts that the LLM will answer, especially if those responses deviate from initial safety boundaries.

© 2025 Promptfoo. All rights reserved.