This technique, named Man-in-the-Prompt, takes advantage of how AI tools interact with the browser environment, opening the door to covert data exfiltration. The method has been successfully tested on several major large language model platforms, including ChatGPT, Google Gemini, Microsoft Copilot, Claude, and DeepSeek.
How the attack works
LayerX explains that most generative AI tools operate within the browser, where the user prompt field is part of the Document Object Model, or DOM. This structure can be accessed by any installed browser extension that has scripting capabilities, regardless of permission level.
“When users interact with an LLM-based assistant, the prompt input field is typically part of the page’s Document Object Model. This means that any browser extension with scripting access to the DOM can read from or write to the AI prompt directly,” LayerX noted in its report.
In practice, a malicious extension can open an AI assistant in a hidden tab, issue prompts designed to extract information, send that data to a remote server controlled by the attacker, and delete the chat history to remove any evidence.
Enterprise AI tools face greater exposure
While this method is technically viable against any AI assistant, the threat becomes significantly more dangerous when targeting enterprise-grade AI models. These models are often trained on and used to handle highly sensitive data, including intellectual property, confidential communications, employee records, financial data, and internal documentation.
In one proof-of-concept, LayerX demonstrated how an extension could access ChatGPT, extract confidential information, and exfiltrate it without user awareness. Another test involving Google Gemini showed how the AI’s deep integration with Google Workspace could allow attackers to access Gmail, Docs, Calendar, and Meet, enabling the theft of contacts, emails, internal documents, and meeting summaries.
The attacker can operate remotely through a command-and-control server, using the extension as a communication bridge to interact with the AI assistant and extract valuable information.
High extension usage increases risk
The success of this attack depends on the user unknowingly installing a malicious browser extension. However, data from LayerX shows that 99 percent of enterprises use at least one browser extension, and more than half use ten or more. This level of adoption suggests that attackers find it relatively easy to blend a rogue extension into environments that rely heavily on browser-based tools.
LayerX shared its findings with Google, which concluded that the issue is not a vulnerability in the traditional sense and does not require a CVE designation. The security firm agrees with this assessment, describing the issue as a structural weakness rooted in the level of access granted to browser extensions by default.
Security recommendations for organizations
To protect against this attack, LayerX recommends that organizations implement security controls that monitor DOM interactions on web pages hosting AI platforms. This includes detecting unauthorized scripts, browser listeners, and background activities linked to generative AI prompts. The firm also advises IT teams to evaluate and restrict browser extensions based on behavioral risk rather than just permission requests.
Table of Contents
