Research Notes

Data Exfiltration via Rendered Markdown Images

By Satwik ยท May 23, 2026

A recurring exfiltration technique against chat assistants abuses automatic image rendering. Many chat interfaces render markdown, so a model output containing an image reference causes the client to fetch that URL. If an attacker can control part of the model's output, typically via prompt injection, the model can be induced to encode sensitive context, prior conversation, retrieved documents, or user data, into the query string of an image URL pointing at an attacker-controlled server. When the client renders the image, it silently sends the data to the attacker as an HTTP request. No click is required.

Security researchers, including Johann Rehberger, demonstrated this pattern against multiple production assistants over 2023 and 2024, and vendors responded with fixes such as content security policies, URL allowlisting, and disabling arbitrary external image loads.

Why it matters: it chains a text-only vulnerability (injection) into real data theft by exploiting a benign-seeming rendering feature. The user sees a normal-looking answer, or a broken image icon, while their data leaves over an image request. It is a canonical example of how output-handling, not just input, is part of the attack surface.

The defensive lesson centers on the rendering layer. Do not auto-fetch arbitrary external resources from model output. Restrict image and link destinations to trusted domains, proxy or sanitize URLs, apply a strict content security policy, and consider requiring user action before loading remote content. The model may be tricked into writing the exfiltration payload, so the client must refuse to deliver it.