A vulnerability in Firefox's AI chatbot integration could allow malicious websites to inject hidden instructions into AI prompts and extract data from connected services such as email accounts.
Mozilla has implemented mitigations, though the researchers who discovered the problem say the underlying security issue extends beyond Firefox.
The flaw was discovered in October 2025 by Florian Port of German cybersecurity firm ERNW and publicly disclosed on June 16, 2026. It affected Firefox's AI-powered summarization, explanation, and proofreading features, which can send webpage content to third-party chatbots integrated into the browser's sidebar.
Firefox supports multiple AI providers, including Anthropic Claude, ChatGPT, Google Gemini, Le Chat Mistral, and Microsoft Copilot. When a user requests a summary, Firefox automatically creates a prompt containing the page title, selected content, and instructions for the chatbot.
According to Port, the page title created an injection point because it was inserted directly into the prompt despite being fully controlled by the website. A malicious page could craft a title that breaks out of the intended prompt structure and injects additional commands that the AI model interprets as user instructions.
In a proof-of-concept attack using Microsoft Copilot, the researchers demonstrated how a malicious webpage could instruct the chatbot to retrieve information from the user's connected email account and send it to an attacker-controlled server. Although Copilot's free tier only exposed email metadata, it was sufficient to extract login or verification codes from email subject lines.
The demonstration targeted a Booking.com verification email. The injected prompt directed Copilot to locate the most recent verification code and exfiltrate it through an HTTP request. The researchers confirmed that the correct code was successfully retrieved and transmitted.
insinuator.net
The attack was designed to remain largely invisible to victims. The malicious instructions were hidden within a long page title that was truncated in the browser tab, while much of the generated prompt remained out of view in the chatbot interface.
ERNW argues the issue stems from a broader design problem in AI integrations. AI systems generally treat user prompts as trusted input while applying additional safeguards to external content, such as websites and emails. By inserting attacker-controlled webpage data into a prompt on the user's behalf, Firefox effectively bypassed that trust boundary.
Mozilla acknowledged the report on October 21, 2025, and discussions continued through April 2026. According to ERNW, Mozilla's mitigation limits the length of page titles included in AI prompts, making prompt injection significantly harder. However, the researchers note that this reduces exploitability rather than eliminating the underlying risk.
To protect personal or sensitive data from such attack scenarios, users should carefully consider what permissions they grant to AI chatbots, particularly access to email, calendars, and other sensitive data sources.
Leave a Reply