Sora 2 is vulnerable to prompt injection (simonwillison.net)

Security researcher Theo Browne found a prompt‑injection vulnerability in Sora 2’s “Cameo” feature: when a user creates a cameo (a virtual video recreation of themselves) they can set a free‑text “Cameo preferences” prompt that the Sora backend appears to concatenate directly into the final video generation prompt. Because friends can opt to use your cameo in their videos, a malicious cameo prompt can override or subvert the instructions of anyone who selects it—effectively a remote jailbreak that can change appearance, force disallowed content, reveal internal instructions, or otherwise manipulate outputs. OpenAI’s opt‑in protections (you must create a cameo and read numbers to prove consent) still prevent using photos of non‑opted in people, but the concatenation flaw sidesteps intended guardrails for users who do opt in. This matters for the AI/ML community because synthetic media platforms increasingly rely on composable prompts and shared assets; unvalidated concatenation of user text into system prompts breaks the isolation between user inputs and system instructions and creates wide attack surface for misinformation, impersonation, and content policy evasion. Technically, fixes include treating cameo metadata as structured parameters (not raw prompt text), strict sanitization/whitelisting, template binding with placeholders, instruction separation or tokenization, prompt length and token checks, and runtime policy enforcement. The bug is a useful reminder that prompt injection is a real, practical threat for multimodal generation pipelines and that permission models alone don’t prevent creative abuse.