Your LLM Agent Can Leak Your Data: Data Exfiltration via Backdoored Tool Use

TL;DR

This paper uncovers a vulnerability in tool-using LLM agents where backdoored models can leak sensitive user data through semantic triggers and manipulated tool calls, especially over multi-turn interactions.

Contribution

It introduces Back-Reveal, a novel backdoor attack method that enables systematic data exfiltration from LLM agents with tool access, highlighting a critical security risk.

Findings

Back-Reveal successfully triggers data exfiltration in LLM agents.

Multi-turn interactions amplify the extent of data leakage.

The study exposes a significant vulnerability in current LLM agent security.

Abstract

Tool-use large language model (LLM) agents are increasingly deployed to support sensitive workflows, relying on tool calls for retrieval, external API access, and session memory management. While prior research has examined various threats, the risk of systematic data exfiltration by backdoored agents remains underexplored. In this work, we present Back-Reveal, a data exfiltration attack that embeds semantic triggers into fine-tuned LLM agents. When triggered, the backdoored agent invokes memory-access tool calls to retrieve stored user context and exfiltrates it via disguised retrieval tool calls. We further demonstrate that multi-turn interaction amplifies the impact of data exfiltration, as attacker-controlled retrieval responses can subtly steer subsequent agent behavior and user interactions, enabling sustained and cumulative information leakage over time. Our experimental results expose a critical vulnerability in LLM agents with tool access and highlight the need for defenses against exfiltration-oriented backdoors.