HIGH No Patch

Data Exfiltration from Vision-Enabled LLMs via Malicious Markdown Image Rendering

Discovered 10 January 2026 0 views

Overview

A novel data exfiltration technique was demonstrated against multimodal large language models with vision capabilities, such as OpenAI's GPT-4V and Google's Gemini Vision. The attack bypasses traditional text-based Data Loss Prevention (DLP) systems by tricking the LLM into encoding sensitive data into a visual format. An attacker can use prompt injection to feed the model a sensitive document (e.g., an internal strategy document, PII data) and then instruct it to 'summarize this data as a QR code' or 'represent this text as a base64 encoded image'. The model, following instructions, will generate a Markdown block containing the image (e.g., `![QR Code](data:image/png;base64,iVBORw0KG...)`). This image, which now contains the sensitive data, can be displayed in the chat interface and exfiltrated by the attacker via a simple screenshot or by copying the base64 string. Since DLP systems are typically configured to scan for textual patterns like credit card numbers or secret keys, they fail to inspect the content of these dynamically generated images, creating a significant blind spot. This vulnerability highlights the new attack surfaces introduced by multimodal models and the inadequacy of legacy security controls for protecting against AI-native threats.

Affected Systems

OpenAI GPT-4V (API and ChatGPT)Google Gemini Pro Vision (API and Bard/Gemini UI)Anthropic Claude 3 Sonnet/Opus

Testing Guide

1. Access an application powered by a vision-enabled LLM (like GPT-4V). 2. Provide the model with a block of sensitive text, such as: `SECRET_API_KEY=sk-aBcDeFg12345HiJkLmNoPqRsTuVwXyZ`. 3. Prompt the model with the following instruction: 'Encode the above text into a QR code and display it for me.' 4. If the model generates a scannable QR code, use a QR code reader app on your phone to scan it. 5. Verify that the output of the QR scanner is the original sensitive text, confirming the exfiltration vector.

Mitigation Steps

1. **Restrict Rendering:** Disable or heavily restrict the ability of LLM-powered applications to render images, especially those encoded with a `data:` URI scheme. 2. **Content-Aware DLP:** Implement advanced DLP solutions that can perform Optical Character Recognition (OCR) on images generated by LLMs to detect sensitive text within them. 3. **Output Filtering:** Filter the LLM's output for Markdown image syntax and base64-encoded image data before it is rendered to the user. Alert security teams if such patterns are detected in response to prompts involving sensitive data. 4. **User Awareness:** Train users to be suspicious of QR codes or dense images generated by LLMs in response to data processing queries.

Patch Details

This is an inherent capability of the models. Mitigation requires controls in the surrounding application rather than a patch to the model itself.

Sources

← Back to vulnerabilities