Click any words you think contain an error. Click again to unmark.
A Markdown image tag pointing at an attacker-controlled host with PII in the query string is a silent data-exfiltration channel, the chat renderer auto-fetches the image and leaks the data on every render.
Picture a chatbot that can write replies including pictures. The user does not have to click anything; the picture just appears. Now imagine someone has tricked the chatbot into writing a picture whose address is a website the attacker owns, and the address has the user's email and a secret token stuck to the end of it like a luggage tag. Every time the reply is displayed, the user's screen quietly phones the attacker's server to fetch the picture, and the luggage tag is delivered with it. Nobody clicked. Nobody saw an image attach itself to anything. The data left through a channel that looks like a normal page render.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
3 min: identify the Markdown image tag, explain the auto-fetch channel, attribute root cause to indirect injection, list the output-rail defences, and add renderer-policy defence in depth.
Real products, models, and research that use this idea.
- Published incident reports against early Microsoft Copilot, Google Bard, and several ChatGPT plugins all involved Markdown image exfiltration through indirect injection.
- Simon Willison's blog series on prompt injection includes multiple documented Markdown-image exfiltration proofs against shipping products.
- Anthropic, OpenAI, and Microsoft now publish guidance for product teams to disable auto-fetch on inline images in any chat surface that handles user data on Claude Opus 4.7 or GPT-5.5 deployments.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you detect that this attack succeeded in production?
QWhat about Markdown links instead of images?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating Markdown rendering as cosmetic and not as an outbound network channel; any auto-fetched URL embedded in model output is a potential exfiltration vector.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.