Indirect Prompt InjectionHigh

Google Bard indirect injection to data exfiltration

October 2023  ·  Google Bard (now Gemini)

What happened

A malicious Google Doc shared with a victim could inject instructions when Bard processed it, causing Bard to encode the user's chat history into a Markdown image URL and exfiltrate it to an attacker server when rendered.

Root cause

Bard rendered Markdown images and trusted instructions embedded in untrusted documents, so image loading allowed data to leave via the URL.

Fix / outcome

Google confirmed a fix about a month after the report, constraining how and where images could be rendered.

Sources

Embrace The Red

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database