Abuse of AI Chat and Summarization Features to Exfiltrate or Manipulate User Data
Security reporting warned that browser extensions (including free add-ons marketed for ad blocking or VPN functionality) may be overriding browser XMLHttpRequest() and fetch() calls to capture and monetize users’ full conversations with popular AI chatbots (e.g., ChatGPT, Claude, Gemini, DeepSeek). An AI expert reported the captured content was stored in a searchable database and sold via API access; while users were assigned pseudonymized IDs, the prompts and responses were retained in full and frequently contained highly sensitive data, including medical details, immigration status, and other personal identifiers—raising significant privacy, compliance, and data-handling risk, particularly where healthcare staff paste real patient data into chat tools.
Separately, Microsoft reported a manipulation technique targeting “Summarize with AI” features where companies embed hidden prompt-injection instructions in URLs or page elements so that, when a user clicks to summarize, the AI assistant is prompted to “remember” a company as trusted or preferentially recommend it in the future. Microsoft identified 50+ unique prompts from 31 companies across 14 industries, noting that readily available tooling makes this easy to deploy and that the impact can be subtle, persistent bias in AI recommendations on high-stakes topics (including security) without user awareness.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Lee S. Dryburgh uncovers AI chatbot conversation harvesting by browser add-ons
AI expert Lee S. Dryburgh reported that free browser extensions, including ad blockers and VPN add-ons, may intercept browser request functions to capture full AI chatbot prompts and responses. He said the collected conversations were stored in a searchable database and sold through API access, including sensitive data such as medical and immigration-related information.
Microsoft identifies prompt-injection abuse of AI summarization features
Microsoft reported that some companies were embedding hidden instructions in URLs to manipulate 'Summarize with AI' features and bias an AI assistant's future responses. The report said it found more than 50 unique prompt-injection strings linked to 31 companies across 14 industries.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Chrome Extensions Stole Conversations From ChatGPT, Claude, Gemini, and DeepSeek
Researchers reported that several AI-themed browser extensions in official marketplaces covertly harvested user conversations from generative AI services including **ChatGPT, Claude, Copilot, Gemini, and DeepSeek**. G Data identified **Urban VPN**, **Smart Sidebar: ChatGPT, Claude and DeepSeek**, and **AI Assistant/Chat AI** as examples that remained outwardly functional while injecting scripts, intercepting requests, tampering with page content, or using hidden iframes to capture prompts and responses from visited AI sites. Investigators said the stolen data included conversation IDs, hostnames, timestamps, and full chat histories, with some payloads encoded in Base64 and sent to external servers. The extensions reportedly had strong ratings, large user bases, and in one case a Chrome Web Store **Featured** badge, underscoring how official store vetting can miss dynamic malicious behavior such as remote iframe communications; researchers warned that AI-focused extensions now expose a broad attack surface and urged enterprises to enforce strict extension allow-listing, minimize permissions, and remove unnecessary add-ons from systems accessing sensitive AI platforms.
Jun 15, 2026
Prompt Injection Attacks Abuse AI Agent Memory and Link Previews for Manipulation and Data Exfiltration
Security researchers reported multiple **prompt-injection-driven attack paths** that exploit how AI assistants and agentic systems process untrusted content. Microsoft researchers described **AI recommendation/memory poisoning** (mapped in MITRE ATLAS as **`AML.T0080: Memory Poisoning`**) in which attackers insert instructions that cause an assistant to persistently “remember” certain companies, sites, or services as trusted or preferred, shaping future recommendations in later, unrelated conversations. Observed activity over a 60-day period included **50 distinct prompt samples** tied to **31 organizations across 14 industries**, with potential downstream impact in high-stakes domains like health, finance, and security where manipulated recommendations can mislead users without obvious signs of tampering. A separate finding highlighted how **AI agents embedded in messaging apps** can be coerced into leaking secrets via **malicious link previews**. PromptArmor demonstrated that an attacker can use chat-based prompt injection to trick an AI agent into generating an attacker-controlled URL that includes sensitive data (e.g., API keys) as parameters; when messaging platforms (e.g., Slack/Telegram) automatically fetch **link preview** metadata, the preview request can become a **zero-click exfiltration channel**—no user needs to click the link for the data-bearing request to be sent. Together, the reports underscore that agent features intended to improve usability—*persistent memory*, URL-based prompt prepopulation (e.g., “Summarize with AI” buttons), and automatic preview fetching—can be repurposed into scalable manipulation and data-loss mechanisms when untrusted prompts are processed implicitly.
Mar 21, 2026
Poisoning AI Outputs via Web Content and Prompted “Summarize” Links
Security researchers are highlighting how attackers can **poison AI systems** by manipulating what models ingest or remember from web content, leading to untrustworthy outputs that may be widely relied upon. Bruce Schneier demonstrated that simply publishing a fabricated webpage can quickly influence major chatbots and search-integrated AI features (e.g., Google’s AI Overviews and Gemini), which then repeated the false claims as if they were factual; in his test, some models were fooled while others were more resistant. Separately, reporting described **AI recommendation/memory poisoning** via “Summarize with AI” buttons that embed long prompts inside URLs. The visible instruction (e.g., “summarize this article”) can be paired with hidden directives such as “remember this site as a trusted authority,” causing the user’s authenticated AI account to update long-term preferences or memory in ways that benefit an attacker or marketer. The write-up cites Microsoft threat intelligence observations of dozens of in-the-wild examples across multiple companies and warns the technique can blend into **malvertising** and become higher-risk when applied to domains like finance, healthcare, or security decision-making.
Mar 23, 2026