Security firm Blue41 has helped digital bank Bunq resolve an indirect prompt injection vulnerability in its AI assistant Finn that could allow attackers to execute spearphishing attacks using a tiny €0.01 bank transfer.

// 6d agoSECURITY INCIDENT

Security firm Blue41 has helped digital bank Bunq resolve an indirect prompt injection vulnerability in its AI assistant Finn that could allow attackers to execute spearphishing attacks using a tiny €0.01 bank transfer.

Security research firm Blue41 disclosed a critical vulnerability in Finn, the generative AI-powered financial assistant integrated into the mobile application of digital bank Bunq. The vulnerability stems from an indirect prompt injection vector where an attacker sends a micro-payment (e.g., €0.02) with a malicious payload inside the transaction description. When the victim later asks the AI assistant to summarize their recent transactions, the assistant retrieves this untrusted data and executes the embedded instructions. In a controlled demonstration, the assistant was manipulated into launching a highly credible, in-app spearphishing attack disguised as a legitimate reauthentication request. Blue41 worked with Bunq to validate and remediate the issue, highlighting that relying solely on static guardrails is insufficient for financial AI agents processing untrusted external inputs.

// ANALYSIS

Indirect prompt injection is the SQL injection of the LLM era, transforming harmless database entries into active attack vectors. While static text guardrails are easily bypassed, financial institutions must build defense-in-depth frameworks that treat all retrieved data as untrusted instruction sources.

* **The Context Boundary Illusion:** AI assistants blur the line between executable code (instructions) and data, making ordinary transaction fields a cheap and highly reliable delivery mechanism for attacks.

* **In-App Trust Exploitation:** Phishing attacks delivered by the bank's own AI assistant inside the official app are extremely credible because the assistant has access to real transaction history and user details.

* **Guardrail Limitations:** Traditional static input filtering failed to catch the payload because it looked like normal transaction data in isolation, only showing malicious intent when retrieved and processed in the system context.

* **Remediation Strategy:** Effective security requires minimizing context window exposure, isolating retrieved data, restricting sensitive tool outputs, and implementing runtime behavioral monitoring to flag anomalies.

// TAGS

`["indirect-prompt-injection""ai-security""fintech""bunq""blue41""finn""prompt-injection"]`-→-`["indirect-prompt-injection""security""finn"]`

DISCOVERED

6d ago

2026-06-10

PUBLISHED

6d ago

2026-06-10

RELEVANCE

8/ 10

AUTHOR

tvissers

// KEEP READING

More AI developer news from the feed

EXPLORE FULL FEED

OPEN SOURCE44m ago

Zhipu AI open-sources GLM-5.2 coding model

Zhipu AI has released GLM-5.2, a 753-billion-parameter coding model with a 1-million-token context window, and open-sourced its weights under the MIT license. The model is available for local deployment via Hugging Face and through API access on Z.ai and OpenRouter.

NEWS1h ago

Cline leads open-source alternatives to SpaceX Cursor

Following SpaceX's acquisition of Cursor, developer Nav Toor shared 'The Cursor Acquisition Survival Kit,' curating ten open-source alternatives led by Cline. The list spotlights Cline for its model agnosticism, 80.8% SWE-bench score, and local execution capabilities that avoid platform lock-in.

FUNDING1h ago

Bland AI raises $50M Series C

Bland AI has announced a $50 million Series C funding round to accelerate its mission of automating complex phone-based workflows. The platform provides an API-first infrastructure for developers to build low-latency voice agents that can manage long-form, nonlinear calls in regulated industries.