Your Browser Extensions Can Hijack Your AI Prompts

A groundbreaking report from cybersecurity firm LayerX has unveiled a new and alarming cyberattack method dubbed 'Man in the Prompt.' This technique allows malicious actors to use everyday browser extensions to compromise leading generative AI tools, including ChatGPT and Google Gemini.

The vulnerability stems from a fundamental aspect of how AI tools operate within web browsers. According to the research, the input fields for AI prompts are part of the web page's basic structure, known as the Document Object Model (DOM). This means that nearly any browser extension with standard scripting access can read or modify a user's prompts without needing any special permissions.

How the Man in the Prompt Attack Works

Attackers can leverage compromised or intentionally malicious browser extensions to perform a range of harmful actions. They can manipulate your input to an AI, inject hidden instructions, steal sensitive data from AI responses, or even trick the AI into revealing confidential information. In essence, the browser extension becomes an invisible "man in the middle" that intercepts and alters your interactions with AI services.

The risk is magnified because many users and businesses rely on browser-based AI tools to handle sensitive information. Confidential company data, internal reports, and proprietary code are often pasted into these interfaces. With many organizations allowing employees to freely install browser extensions, a single malicious extension can create a silent backdoor for attackers to steal valuable corporate knowledge.

"The exploit has been tested on all top commercial LLMs... The implication for organisations is that as they grow increasingly reliant on AI tools, that these LLMs, especially those trained with confidential company information, can be turned into ‘hacking copilots’ to steal sensitive corporate information." – LayerX

Real-World Exploits on ChatGPT and Gemini

The LayerX team demonstrated proof-of-concept attacks to show the real-world danger. In one test, an extension with minimal permissions was able to inject a prompt into ChatGPT, steal the AI's response, and then delete the interaction from the user's chat history to avoid detection.

Watch the ChatGPT Injection Proof of Concept

For Google Gemini, the attack was even more concerning due to its deep integration with Google Workspace. A malicious extension could inject prompts to access and exfiltrate a user's private data—including emails, contacts, and file contents—even when the Gemini sidebar was closed.

See the Gemini Extension Prompt-Jacking Demo

Protecting Your AI Interactions from This Novel Threat

This new attack vector creates a major blind spot for traditional security solutions like Data Loss Prevention (DLP) systems, which cannot monitor these DOM-level interactions inside the browser. Simply blocking AI websites by URL is also ineffective against internal AI applications.

LayerX recommends that organizations shift their security focus to inspecting in-browser activity. Key strategies include:

• Monitoring DOM interactions within AI tools for suspicious activity.
• Blocking risky extensions based on their behavior, not just their declared permissions.
• Actively preventing prompt tampering and data theft at the browser level in real-time.

Expert Insights on the Future of AI Security

Mayank Kumar, Founding AI Engineer at DeepTempo, shared his thoughts on the wider implications with Hackread.com. "The pressure to integrate generative AI is real," he noted, but warned that this rapid adoption is "severely testing the security infrastructure built in the pre-GenAI era."

Kumar stressed that attacks like Man in the Prompt prove that we must rethink security for the entire AI ecosystem. "Prompts are not just text, they are interfaces," he said. This means securing the full data journey, from the user's browser to the AI model and back. He advocates for deep-layer network monitoring to detect anomalies in traffic correlated with AI use, providing a crucial layer of defense against this new wave of sophisticated cyber threats.