Скачать или смотреть OpenAI: Preventing URL-Based Data Exfiltration in Language-Model Agents

Large language model agents that autonomously navigate the web face a significant security risk known as URL-based data exfiltration, where adversaries utilize prompt injection to trick models into accessing malicious URLs containing encoded sensitive user information. To counter this, Spânu and Shadwell (2025) propose replacing inadequate static domain allow-lists, which suffer from low coverage and vulnerabilities to open redirects, with a dynamic policy that restricts agents to accessing only URLs previously visited by an independent search index. This approach relies on the premise that if a crawler operating without user context has already indexed a specific URL, that URL cannot contain private user data, thereby offering a robust safety guarantee against exfiltration while covering approximately 80% of user traffic. Although this method significantly reduces the attack surface, the authors acknowledge limitations regarding theoretical keyboard attacks and the inability to index session-specific URLs, positioning this solution as a necessary compensating control while intrinsic model robustness evolves.

https://cdn.openai.com/pdf/dd8e7875-e...