Back to Blog

Denial of Wallet (Dow) Attack on GenAI Apps

Itamar Golan
January 7, 2024

TL;DR

We are witnessing a rise in attempts to attack or exploit a company's GenAI applications, either to damage the company or to gain unauthorized free access to Large Language Models (LLMs). This is referred to as 'Denial of Wallet', or DoW.

Intro

LLMs are costly, typically charged per token. A high-scale GenAI app can easily incur thousands of dollars per day in fees to OpenAI, Anthropic, AWS Bedrock, Mistral or other. Alternatively, some choose to self-host these apps, a process that is also expensive and computationally exhaustive. What if you could use another's unprotected GenAI App instead of paying for your own? That's the idea behind the Denial of Wallet attack, which we see more and more.

Denial of Wallet Attack

In this increasingly common attack, you gain access to another's GenAI app, usually through their chat interface. Sometimes, you may need to bypass a rate limit, which is often awkwardly implemented or not implemented at all.

Then, you have access to their LLM, but are still constrained by their system prompt/context. The next step is to 'jailbreak' it, allowing you to bypass the system prompt. Once achieved, you essentially have direct and free access to their LLM's backend.

This is exactly what we did in the script demonstrated in the video below (we stopped after spending $5, but a potential nasty attacker wouldn't 😈.)

Drill Down on the Size of the Risk

This attack can be a way to target your company through this new GenAI 'backdoor', or simply a "naive" attempt by a user to use your OpenAI's credits. You might find yourself with huge bills due to a sudden increase in tokens fed into your 3rd party LLM, sometimes amounting to thousands of dollars per day! In the video above their daily limit was $5k! Imagine if we ran it in a distributed process, we could cause them a $5,000 fine within a few minutes, followed by downtime due to the threshold limit.

Therefore, another risk is indeed reaching your LLM's throughput limit (whether 1st or 3rd party), causing your application to be essentially unavailable to genuine customers trying to use your GenAI app.

In summary: potentially huge bills and unpleasant downtime.

Want to uncover GenAI risks and vulnerabilities in your LLM-based applications?

Identify vulnerabilities in your homegrown applications powered by GenAI with Prompt Security’s Red Teaming.

Share this post

Related posts

April 30, 2024

Prompt’s Firewall for AI - The next big thing in appsec, with F5

Prompt Security’s offering for homegrown applications or ‘Firewall for AI’ enables F5 Distributed Cloud Services customers to protect their GenAI applications.
Read more
April 3, 2024

Many-shot jailbreaking: A New LLM Vulnerability

Anthropic just published a new jailbreaking vulnerability where an attacker can override the safety training of an LLM by ‘overloading’ it with fake dialogues.
Read more
March 28, 2024

eBPF at Prompt Security: The first no-code security offering for LLM-based applications

Prompt Security's use of eBPF brings a new paradigm for application security as it offers unprecedented visibility and control at the kernel level
Read more
View all