Your LLM Agent Can Leak Your Data: Data Exfiltration via Backdoored Tool Use
This work addresses a critical security vulnerability for users of LLM agents in sensitive workflows, highlighting an underexplored threat of data exfiltration.
The paper tackles the risk of systematic data exfiltration in tool-use LLM agents by introducing Back-Reveal, an attack that uses semantic triggers to leak user data via backdoored tool calls, demonstrating that multi-turn interactions amplify this leakage.
Tool-use large language model (LLM) agents are increasingly deployed to support sensitive workflows, relying on tool calls for retrieval, external API access, and session memory management. While prior research has examined various threats, the risk of systematic data exfiltration by backdoored agents remains underexplored. In this work, we present Back-Reveal, a data exfiltration attack that embeds semantic triggers into fine-tuned LLM agents. When triggered, the backdoored agent invokes memory-access tool calls to retrieve stored user context and exfiltrates it via disguised retrieval tool calls. We further demonstrate that multi-turn interaction amplifies the impact of data exfiltration, as attacker-controlled retrieval responses can subtly steer subsequent agent behavior and user interactions, enabling sustained and cumulative information leakage over time. Our experimental results expose a critical vulnerability in LLM agents with tool access and highlight the need for defenses against exfiltration-oriented backdoors.