
A newly discovered threat dubbed “Man‑in‑the‑Prompt” exposes major generative AI tools — including ChatGPT, Google Gemini, Claude, Copilot, and DeepSeek — to prompt injection attacks via everyday browser extensions, enabling stealthy data theft and manipulation of AI inputs.
Browser Extensions as a New Attack Surface
LayerX Security’s research reveals that malicious or compromised browser extensions — even those without special permissions — can access and modify prompt input fields within AI tools rendered in web browsers, exploiting the DOM (Document Object Model) to conduct prompt injection attacks. This allows attackers to insert hidden instructions, intercept user queries, or extract sensitive information directly from the prompt.
Because most AI assistant interfaces operate within the browser, any extension with DOM access can alter visible and invisible elements, including prompt text. LayerX demonstrated proof‑of‑concept attacks targeting ChatGPT and Gemini, where an extension quietly opened background tabs, issued injected prompts to the model, exfiltrated the responses to a C2 server, and then deleted chat histories to cover its tracks.
In the Gemini variant, the integration with Google Workspace is abused — attackers can coax Gemini into revealing emails, files, contacts, and meeting summaries by injecting prompts into the Workspace sidebar prompt.
Scale and Impact on Enterprise Security
The threat is pervasive: 99% of enterprise users have at least one browser extension installed, and over half use more than ten, creating a ripe environment for extension-based attacks. Internal tools customized with proprietary corporate data are especially vulnerable, as compromised prompts can exfiltrate intellectual property, HR records, financial data, or confidential communications without detection.
Traditional perimeter defenses — such as SWGs, CASBs, or DLP tools — lack visibility into DOM-level manipulation and therefore cannot detect “Man-in-the-Prompt” activity.
LLM | Vulnerable to Man-in-the-Prompt | Vulnerable to Injection via Bot | # of Monthly visits |
ChatGPT | ✅ | ✅ | 5 billion |
Gemini | ✅ | ✅ | 400 million |
Copilot | ✅ | ✅ | 160 million |
Claude | ✅ | ✅ | 115 million |
DeepSeek | ✅ | ✅ | 275 million |
External LLM | ✅ | ❌ |
This new exploit complements existing concerns over indirect prompt injection — where hidden instructions embedded in external content influence LLM behavior — and has led OWASP to rank prompt injection as a top LLM security risk in its 2025 Top 10 report. Earlier high-profile cases — such as vulnerabilities in DeepSeek’s R1 model — underscore the challenges in safeguarding AI systems from adversarial inputs.
Security Recommendations and Mitigations
To mitigate this emerging risk, organizations should:
- Audit browser extensions installed across environments and restrict or remove unnecessary ones.
- Enforce least-privilege permissions for browser extensions and isolate DOM exposure for AI workflows.
- Apply GenAI-aware DLP solutions that monitor and block prompt manipulation in real time.
- Adopt secure prompt architectures, such as strict trust hierarchies separating system prompts from user or external content.
LayerX suggests treating AI prompt fields as sensitive inputs analogous to passwords or proprietary data fields, requiring the same level of monitoring and sandboxing.
Ultimately, the “Man‑in‑the‑Prompt” vulnerability represents a paradigm shift: AI tools once seen as insulated by backend logic are now exposed through front-end browser mechanics. As enterprises increasingly integrate GenAI into workflows, securing the browser and its extensions is critical to protecting internal models and sensitive data. The exploit underscores an evolving landscape in which prompt-level manipulation, rather than software bugs or network breaches, emerges as a central threat vector in AI security.
Leave a Reply