AI Applications Vulnerable to Indirect Prompt-Injection Attacks