Blue41 uncovered an indirect prompt injection flaw in Bunq's AI assistant, where a €0.02 bank transfer could weaponize transaction descriptions to trigger phishing attacks. The vulnerability stems from AI assistants improperly interpreting third-party data—like transaction descriptions—as executable instructions. This is critical because such data flows are common across financial systems, creating a broad attack surface.

The attack requires no user interaction beyond a routine query like "Show me my recent transactions." When the AI retrieves compromised transaction data into its LLM context window, injected payloads manipulate responses. For example, the assistant might forge a reauthentication request, leveraging real transaction details to appear authentic. This exploits the trust placed in the bank’s app, making phishing attempts far more credible than generic emails.

Guardrails like input filters or content moderation fail here because malicious payloads blend seamlessly with legitimate data. Mitigations include minimizing context exposure by excluding non-essential fields, treating all retrieved data as untrusted, and implementing output constraints to limit high-risk actions. Runtime monitoring was also highlighted as essential for detecting anomalous behavior. The flaw underscores a fundamental challenge: AI assistants’ security hinges on systemic trust boundaries, not just isolated controls.