Close Menu
  • Home
  • Cybercrime and Ransomware
  • Emerging Tech
  • Threat Intelligence
  • Expert Insights
  • Careers and Learning
  • Compliance

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

What's Hot

CISA Adds Adobe, Joomla, Langflow Flaws to KEV

July 8, 2026

Google Cloud links Wiz data to threat actors and attack techniques

July 8, 2026

Accenture Data Breach: Hackers Claim to Have Stolen 35 GB of Source Code

July 8, 2026
Facebook X (Twitter) Instagram
The CISO Brief
  • Home
  • Cybercrime and Ransomware
  • Emerging Tech
  • Threat Intelligence
  • Expert Insights
  • Careers and Learning
  • Compliance
Home » Top GenAI Tools Open to ‘Man in the Prompt’ Browser Attack
Uncategorized

Top GenAI Tools Open to ‘Man in the Prompt’ Browser Attack

Staff WriterBy Staff WriterJuly 30, 2025No Comments4 Mins Read12 Views
Facebook Twitter Pinterest LinkedIn Tumblr Email
Share
Facebook Twitter LinkedIn Pinterest WhatsApp Email


An innovative prompt injection attacker can steal your data using nothing but a browser extension.

Browser security vendor LayerX published research today dedicated to an attack it discovered that represents a “weakness” in how browser instances of AI tools interact with the Web browser itself. Called “man in the prompt,” the exploit relies on the fact that for many generative AI/LLM-powered tools, the input field is part of the page’s Document Object Model (DOM), an API that Web browsers use to render documents.

Because browser extensions can have high permissions in a Web browser, and because they also rely on the DOM, LayerX said, “any browser extension with scripting access to the DOM can read from, or write to, the AI prompt directly.” That’s where the opportunity for attackers come in.

“LayerX’s research shows that any browser extension, even without any special permissions, can access the prompts of both commercial and internal LLMs and inject them with prompts to steal data, exfiltrate it, and cover their tracks,” according to the research, which was shared exclusively with Dark Reading.

Though it is not a vulnerability involving a specific model or product, LayerX claimed that multiple models including ChatGPT, Gemini, Deepseek, Copilot, and Claude are susceptible to two versions of the attack.

Related:The CrowdStrike Outage Was Bad, but It Could Have Been Worse

Man in the Prompt: How It Works

Attackers can execute the exploit in multiple ways, such as via a browser extension installed post-exploitation, an extension unwittingly installed via a social engineering method like phishing or typosquatting, or an extension the user already has installed that the attacker purchased access to and then poisoned.

In this last case, no action on the part of the user is necessary. This doesn’t appear to be a far-fetched scenario either, as Chrome Web Store (to name one injection) has a whole class of extensions that include prompt writing, reading, and editing as part of their feature sets.

Once the attacker has access to an extension inside a user’s vulnerable browser, the extension can communicate with generative AI (GenAI) tools, inject prompts, and read them. The most obvious risk here is data leakage and theft as, depending on the tool, an attacker could gain access to personally identifiable data, folder and file contents, and more.

Internal LLMs are particularly exposed because they, as the research noted, “are often trained or augmented with highly sensitive, proprietary organizational data,” such as legal documents, internal communications, source code, intellectual property, financial forecasts, corporate strategy, and so on.

Related:The Hidden Threat of Rogue Access

These internal LLMs also have a high level of trust from a security perspective, as well as fewer query guardrails.

The research includes proof-of-concept (PoC) exploits for both ChatGPT and Gemini.

In the former, the user installed a compromised extension with no permissions enabled. A command-and-control (C2) server sent a query to the extension, which opens a background tab and queries ChatGPT. The results are exfiltrated to an external log, and the extension deletes relevant chat history.

The Gemini PoC relies on the fact that, by default, Gemini has access to all data accessible to the end user in Google Workspace, like email, documents, contacts, and all shared files and folders the user has permissions for. The Gemini integration into Workspace also includes a sidebar in Google apps, allowing the user to automate certain functions.

“The new Gemini integration is implemented directly within the page as added code on top of the existing page. It modifies and directly writes to the web application’s Document Object Model (DOM), giving it control and access to all functionality within the application,” LayerX said in its research.

“LayerX has found that the way this integration is implemented, any browser extension, without any special extension permissions, can interact with the prompt, and inject prompts into it. As a result, practically any extension can access the Gemini sidebar prompt and query it for any data it desires,” the researchers added.

Related:Root Evidence Bets on New Concept for Vulnerability Patch Management

Risk and Mitigation

LayerX CEO and co-founder Or Eshed tells Dark Reading he has “no doubt” attackers will exploit this attack. “The potential use cases and scenarios for this attack are infinite,” he says. “It’s a very low-hanging fruit.”

But while the potential for exploitation is high, and while traditional security tools don’t have visibility into DOM-level interactions, Or explains that on the defender side, securing a browser is “manageable and achievable to secure with either browser protection or more secure AI applications.”

LayerX said in its research that defenders should monitor DOM interactions within their GenAI tools via listeners or webhooks, and also block risky extensions based on behavioral risk rather than allowlists. Organizations should also regularly audit the extensions in their environment, as well as the permissions those extensions have.



Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleData Breach Costs Surge to $10.22 Million
Next Article Orange Struck by Cyberattack: a Wake-Up Call for Telecom Security
Avatar photo
Staff Writer
  • Website

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Windows Device ID Unveiled: Key to FBI’s Capture of Alleged Scattered Spider Hacker

July 7, 2026

South Korea Denies Discrimination Allegations Against Coupang

July 2, 2026

Salesforce Disables Klue App After Data Breach from Token Abuse

June 19, 2026
Leave A Reply Cancel Reply

Latest Posts

Accenture Data Breach: Hackers Claim to Have Stolen 35 GB of Source Code

July 8, 2026

Hidden Threats: RDP and WinRAR Exploit Target Ukraine

July 7, 2026

Disrupting Ransomware: How VECT and TeamPCP Counter Supply Chain Credential Theft

July 7, 2026

The Gentlemen Ransomware: Accelerating Global Attacks with Custom EDR/AV Killers

July 7, 2026
Don't Miss

Windows Device ID Unveiled: Key to FBI’s Capture of Alleged Scattered Spider Hacker

By Staff WriterJuly 7, 2026

Fast Facts U.S. prosecutors linked hacker Peter Stokes to a 2025 retail break-in using a…

South Korea Denies Discrimination Allegations Against Coupang

July 2, 2026

Salesforce Disables Klue App After Data Breach from Token Abuse

June 19, 2026

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

Recent Posts

  • CISA Adds Adobe, Joomla, Langflow Flaws to KEV
  • Google Cloud links Wiz data to threat actors and attack techniques
  • Accenture Data Breach: Hackers Claim to Have Stolen 35 GB of Source Code
  • Rogue Agent: AI Chatbot Data Theft Uncovered
  • Hidden Threats: RDP and WinRAR Exploit Target Ukraine
About Us
About Us

Welcome to The CISO Brief, your trusted source for the latest news, expert insights, and developments in the cybersecurity world.

In today’s rapidly evolving digital landscape, staying informed about cyber threats, innovations, and industry trends is critical for professionals and organizations alike. At The CISO Brief, we are committed to providing timely, accurate, and insightful content that helps security leaders navigate the complexities of cybersecurity.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

CISA Adds Adobe, Joomla, Langflow Flaws to KEV

July 8, 2026

Google Cloud links Wiz data to threat actors and attack techniques

July 8, 2026

Accenture Data Breach: Hackers Claim to Have Stolen 35 GB of Source Code

July 8, 2026
Most Popular

Protecting MCP Security: Defeating Prompt Injection & Tool Poisoning

January 30, 202634 Views

Unlock the Power of Free WormGPT: Harnessing DeepSeek, Gemini, and Kimi-K2 AI Models

November 27, 202530 Views

The New Face of DDoS is Impacted by AI

August 4, 202528 Views

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025

Categories

  • Compliance
  • Cyber Updates
  • Cybercrime and Ransomware
  • Editor's pick
  • Emerging Tech
  • Events
  • Featured
  • Insights
  • Most Read
  • Threat Intelligence
  • Uncategorized
© 2026 thecisobrief. Designed by thecisobrief.
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions

Type above and press Enter to search. Press Esc to cancel.