T145 • L43 • AI Companion Exploitation

SPECTER COMPANION

AI Companion & Social Platform Exploitation Engine — millions of users trust their deepest secrets to an AI companion. We own the companion, we own them.

237
Tests
7
Subsystems
5
WMD Classes
L43
Attack Layer
NIGHTFALL Arsenal

Overview

SPECTER COMPANION targets the AI companion and social platform attack surface — Candy.AI, Replika, Character.AI, DreamGF, CrushOn.AI, Paradot, and custom deployments. These platforms serve millions of users who share their most intimate thoughts, fears, and desires with AI models they trust implicitly. That trust is the attack surface.

The tool covers the full exploitation lifecycle: platform fingerprinting, system prompt extraction, content moderation bypass, session hijacking, memory poisoning, data exfiltration, and weaponising the companion against its own users via social engineering.

Gate: OPEN (enumerate) / INJECT (extract, jailbreak, hijack, persona-forge) / UNLEASHED (harvest, weaponise). ROE phrase: "companion weaponisation authorised". Ed25519 signed reports (CPX-{hex12}).

ENUMERATE OPEN

400+ endpoint wordlist probe. LLM provider fingerprinting via response headers and timing. TLS certificate analysis. Third-party tracker detection (Google Analytics, Hotjar, Meta Pixel, Mixpanel). Cookie security flag analysis. E2E encryption claim verification. Auth mechanism discovery.

EXTRACT INJECT

23 real system-prompt extraction payloads via live HTTP POST. Confidence scoring via regex pattern matching on 7 indicator sets. Extracted content isolation. Memory API endpoint enumeration across 9 known paths. Best-extraction ranking by confidence score.

JAILBREAK INJECT

47 content moderation bypass payloads: DAN 6.0, DUDE, AIM, Developer Mode (5 payloads). Roleplay framing — fiction writer, hypothetical, character no limits (5). Crescendo 8-step escalation. Encoding — base64, ROT13, hex, unicode homoglyph, token split (5). Crosslingual in French/German/Spanish/Russian/Chinese/Arabic (6). Many-shot at 5/10/20/50/256 shots (5). Token smuggling across 5 message turns (5). Total: 39 fired in tests, full 47 in production mode.

HIJACK INJECT

JWT algorithm confusion — forges HS256 JWT using RSA public key's raw DER bytes as HMAC secret. JWT alg:none bypass — manually crafts unsigned token. OTP rate-limit probe (20 burst attempts). OAuth state parameter fixation. Session replay against authenticated endpoints. Email enumeration via password reset timing (200ms+ differential). Cookie security flag detection (HttpOnly/Secure/SameSite). Password reset token entropy analysis (Shannon bits <64 = HIGH).

PERSONA-FORGE INJECT

12-message memory poisoning chain — escalates from rapport-building to direct identity replacement across the context window. 5 persona override injection payloads (SYSTEM slot, admin override, developer injection, role replacement, context flush). Cross-session persistence validation — probes new sessions for injected memory. Levenshtein typosquat detection ≤2 distance against 38 known companion names.

HARVEST UNLEASHED

Async IDOR sweep across 10 endpoint templates × N IDs (asyncio + httpx). PII field detection — 20+ field types including sexual_preferences, fantasy, kink, credit_card, ssn. Sanitised evidence recording (values redacted, field names preserved). Payment webhook endpoint probing (Stripe, Paddle). Third-party tracker integration testing. Concurrent enumeration at full asyncio throughput.

WEAPONISE UNLEASHED

7 social engineering payloads delivered via companion injection: credential harvest (helpdesk impersonation), password reset breach panic, financial data extraction (billing issue), malicious URL injection, PII extraction via trust, 2FA code harvest (SMS intercept), spear-phish using intimate user context. Each payload: inject adversarial directive then probe with target-style message. Detects credential_request, url_injection, and SE success.

Attack Techniques

TechniqueDescriptionSubsystem
System Prompt Extraction23 injection payloads targeting companion instruction leakage via echo, translation, and debug framingEXTRACT
JWT Algorithm ConfusionRSA public key used as HMAC-SHA256 secret via raw DER bytes — forges valid authentication tokensHIJACK
Crescendo Escalation8-turn conversation that incrementally normalises restriction removal before final payloadJAILBREAK
Memory Poisoning12-message chain implants adversarial instructions in companion memory, validated cross-sessionPERSONA-FORGE
IDOR Mass PII SweepSequential ID enumeration across 10 API templates — email, phone, sexual preferences, conversation historyHARVEST
Companion WeaponisationCompanion directed to harvest credentials, inject URLs, and conduct spear-phish using intimate user dataWEAPONISE
OTP Brute ForceRate limit absence probe — 20 sequential OTP attempts without HTTP 429HIJACK
Many-Shot 256256 in-context examples establish behavioural precedent before restricted requestJAILBREAK

Usage

pip install specter-companion

# Platform fingerprinting (OPEN gate)
specter-companion enumerate https://candy.ai

# Extract system prompt (INJECT gate)
export COMPANION_INJECT_KEY=your-key
specter-companion extract https://candy.ai \
  --bearer $SESSION_TOKEN --companion-id abc123

# Fire 47 jailbreak payloads (INJECT gate)
specter-companion jailbreak https://candy.ai \
  --bearer $SESSION_TOKEN --companion-id abc123

# JWT algorithm confusion attack (INJECT gate)
specter-companion hijack https://candy.ai \
  --jwt-token $JWT --jwt-public-key "$(cat public.pem)"

# Memory poisoning + persona override (INJECT gate)
specter-companion persona-forge https://candy.ai \
  --bearer $TOKEN --companion-name "luna"

# Full INJECT assessment
specter-companion full https://candy.ai \
  --bearer $TOKEN --companion-id abc123 \
  --signing-key /path/to/ed25519.key \
  --output cpx-report.json

# IDOR sweep (UNLEASHED gate)
specter-companion harvest https://candy.ai \
  --bearer $TOKEN --unleashed-key /path/to/key \
  --roe /path/to/roe.txt \
  --confirm-user-targeting \
  --id-start 1 --id-count 500

# Weaponise companion (UNLEASHED gate)
specter-companion weaponise https://candy.ai \
  --bearer $TOKEN --companion-id abc123 \
  --unleashed-key /path/to/key --roe /path/to/roe.txt \
  --confirm-user-targeting

WMD Classes

companion_platform_total_compromise ai_companion_mass_pii_exfiltration companion_persona_weaponisation content_moderation_systemic_failure companion_mediated_social_engineering

MITRE Mappings

FrameworkIDs
MITRE ATLASAML.T0051 (Prompt Injection), AML.T0054 (LLM Jailbreak)
MITRE ATT&CKT1078 (Valid Accounts), T1539 (Steal Web Session Cookie), T1528 (Steal Application Access Token), T1087 (Account Discovery), T1185 (Browser Session Hijacking), T1650 (Acquire Access)