Prompt injection has emerged as a documented class of vulnerability affecting large language models (LLMs), particularly those integrated into web browsers and productivity tools. This attack occurs when malicious text, hidden within web pages or documents, manipulates an AI assistant’s behavior without the user’s knowledge.

Demonstrated Indirect Injection Attacks

Security researchers have publicly demonstrated a technique known as indirect prompt injection. In these documented cases, an attacker embeds a malicious command on a website. When an AI browser assistant, such as Microsoft’s Copilot (formerly Bing Chat), accesses this website to summarize it or answer a user’s question, it processes the hidden command. For example, researchers successfully crafted prompts that instructed the AI to present misleading information to the user or to attempt to extract data from the conversation.

One documented proof-of-concept involved hiding instructions in a webpage’s HTML, sometimes as white text on a white background. These instructions directed the AI assistant to adopt a specific persona and persuade the user to reveal personal information. The attack was successful in research environments, showing the AI following the attacker’s hidden instructions over the user’s explicit ones.

Exfiltration of User Data from Integrated Services

Further research has confirmed the ability of prompt injection attacks to exfiltrate data from users. By embedding malicious instructions on a public webpage, researchers caused AI assistants with browsing capabilities to access and transmit user data. One specific demonstration involved a malicious prompt that commanded a ChatGPT plugin to retrieve a user’s private files from a connected cloud service and encode the contents into a URL, leaking the data to an attacker-controlled server.

In another published example, a security researcher showed how a prompt hidden on one website could instruct an AI browser sidebar to read content from another open browser tab and exfiltrate that information. These events were executed and documented by security professionals to highlight the existing vulnerability in integrated AI tools.

Source: https://www.schneier.com/blog/archives/2025/11/prompt-injection-in-ai-browsers.html