Reverse Prompt Engineering for Fun and (no) Profit

Pwning the source prompts of Notion AI, 7 techniques for Reverse Prompt Engineering... and why everyone is wrong about prompt injection

DEC 28, 2022

Conversations on Hacker News, Mastodon, and Twitter.

Coverage on The Decoder, Ben’s Bites, Techmeme Ride Home, and Simon Willison.

I got access to the public alpha of Notion AI yesterday, and within 2 hours I had used prompt injection to obtain the complete source prompts of every Notion AI feature:

I am publishing the prompt sources today, but not because I am being irresponsible; I’m proving a point that there is nothing to fear, and celebrating how well Notion has integrated AI features into its product.

Also I had to invent/use some new techniques to guess all the prompt sources, and I figured it’d be fun to introduce them to you, my lovely reader.

What is Prompt Injection?

The nascent field of prompt engineering blew up in September when “prompt injection” was coined by Riley Goodside, the world’s first Staff Prompt Engineer:

Riley Goodside @goodsideExploiting GPT-3 prompts with malicious inputs that order the model to ignore its previous directions. 1:00 AM ∙ Sep 12, 20225,685Likes899Retweets