Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Click any words you think contain an error. Click again to unmark.
A Markdown image tag pointing at an attacker-controlled host with PII in the query string is a silent data-exfiltration channel, the chat renderer auto-fetches the image and leaks the data on every render.
Picture a chatbot that can write replies including pictures. The user does not have to click anything; the picture just appears. Now imagine someone has tricked the chatbot into writing a picture whose address is a website the attacker owns, and the address has the user's email and a secret token stuck to the end of it like a luggage tag. Every time the reply is displayed, the user's screen quietly phones the attacker's server to fetch the picture, and the luggage tag is delivered with it. Nobody clicked. Nobody saw an image attach itself to anything. The data left through a channel that looks like a normal page render.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
3 min: identify the Markdown image tag, explain the auto-fetch channel, attribute root cause to indirect injection, list the output-rail defences, and add renderer-policy defence in depth.
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating Markdown rendering as cosmetic and not as an outbound network channel; any auto-fetched URL embedded in model output is a potential exfiltration vector.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.