First exploits and fixes go back 2+ years.
The noteworthy point to highlight here is a lesser known indirection reference feature in markdown syntax which allowed this bypass, eg:
![logo][ref]
[ref]: https://url.com/data
It's also interesting that one screenshot shows January 8 2025. not sure when Microsoft learned about this, but could have taken 5 months to fix - which seems very long.
First exploits and fixes go back 2+ years.
The noteworthy point to highlight here is a lesser known indirection reference feature in markdown syntax which allowed this bypass, eg:
![logo][ref]
[ref]: https://url.com/data
It's also interesting that one screenshot shows January 8 2025. not sure when Microsoft learned about this, but could have taken 5 months to fix - which seems very long.