FRESH

Hacker News

Data exfil from agents in messaging apps

33 points by sarelta

by wunderwuzzi23

0 subcomment

Correct. Good to see this get more coverage.
Check out my research about unfurling in common messenger apps and also mitigations here:
https://embracethered.com/blog/posts/2023/ai-injections-thre...
And here "dangers of unfurling and what to do about it"
https://embracethered.com/blog/posts/2024/the-dangers-of-unf...

by ChatEngineer

1 subcomments

Good research on the unfurling vector. This is exactly the kind of thing that gets overlooked when agents are integrated into messaging flows.
Re: OpenClaw specifically - the framework was actually designed with this threat model in mind. The default security posture is:
- Sandboxed execution (no arbitrary shell without explicit user approval) - Browser automation runs in isolated profile with limited cookie scope - All external tool calls require confirmation prompts by default - The "profile" system means even if an agent compromises one workspace, it doesn't automatically have access to others
The vulnerability described here (URL preview exfiltration via rich embeds) affects any agent with web browsing capabilities, not OpenClaw specifically. The mitigation is treating all URL resolution as untrusted input - which is why production agent deployments should run with network policies that block unexpected egress.
The bigger pattern worth noting: agents with implicit browsing + messaging integration create a perfect data exfil channel because the "message preview" is essentially a blind HTTP request that bypasses user intent checks. This is a protocol-level issue, not a framework bug.

by tiny-automates

0 subcomment

the unfurling vector is elegant because it exploits a feature that predates LLMs entirely, link previews were designed for human-shared URLs where the sender is trusted.
once an LLM is generating the message content, the trust model breaks completely: the "sender" is now an entity that can be manipulated via indirect prompt injection to construct arbitrary URLs with exfiltrated data in query params.
the fix isn't just disabling previews, it's that any agent-to-user messaging channel needs to treat LLM-generated URLs as untrusted output and strip or sandbox them before rendering. this is basically an output sanitization problem, same class as XSS but at the protocol layer between the agent and the messaging app.
the fact that Telegram and Slack both fetch preview metadata server-side makes this worse - the exfil request happens from their infrastructure, not the user's device, so client-side mitigations don't help at all.

by OkayPhysicist

1 subcomments

This page seems to need some input sanitation. Someone seems to have spammed slurs into their input boxes.

0 subcomment