A serious flaw in widely used AI tools, like ChatGPT and Google Gemini, exposes them to a new type of attack called “Man-in-the-Prompt.”
Research shows that malicious browser extensions can misuse the Document Object Model (DOM) to inject prompts, steal sensitive data, and alter AI responses without needing special permissions.

The vulnerability impacts billions of users on major platforms, especially ChatGPT with 5 billion monthly visits and Gemini with 400 million users.
Browser Extension Exploit Targets AI Prompt:
The vulnerability arises from generative AI tools interacting with web browsers via DOM manipulation. Interacting with LLM-based assistants allows browser extensions with basic scripting to access prompt input fields.
This flaw lets attackers carry out prompt injection attacks by modifying user inputs or adding hidden commands in the AI interface.
The exploit effectively creates a “man-in-the-prompt” scenario where attackers can read from and write to AI prompts without detection.
LayerX researchers showed that certain extensions without special permissions can access commercial LLMs like ChatGPT, Gemini, Copilot, Claude, and Deepseek.

99% of enterprise users have at least one browser extension, and 53% have over 10. This makes the attack vector very concerning.
Current security tools such as CASBs, SWGs, and DLP solutions do not provide visibility into DOM-level interactions, making them ineffective against this type of attack.
Two notable proof-of-concept attacks show the seriousness of this vulnerability. The first involved targeting ChatGPT with a compromised extension connected to a command-and-control server.
A malicious extension opens background tabs, sends prompts to ChatGPT, logs the responses externally, and deletes chat history to hide its actions.
This complex attack happens within the user’s session, making it hard to detect.
The second proof-of-concept used Google Gemini’s (video) Workspace integration, offering access to emails, documents, contacts, and shared folders. The vulnerability lets extensions inject queries even with the Gemini sidebar closed, allowing attackers to access sensitive corporate data.
LayerX informed Google about this vulnerability, even though the company had not previously addressed risks from browser extensions related to Gemini Workspace prompts.
Organizations need to shift their security thinking from application-level control to in-browser behavior inspection. This includes:
Monitoring DOM interactions within GenAI tools and detecting listeners or webhooks that can interact with AI prompts.
Blocking risky extensions based on behavioral risk, not just allowlists. Since a static assessment based on permissions will not suffice (since some extensions won’t require any permissions), combining publisher reputation with dynamic extension standboxing is the best way to detect risky and malicious extensions.
Preventing prompt tampering and exfiltration in real time at the browser layer.
InfoSecBulletin Cybersecurity for mankind