Indirect Prompt Injection Flaws Expose AI Browsers and Assistants to Data Theft
Researchers and security outlets reported multiple indirect prompt injection weaknesses affecting AI-driven browsing and assistant features, showing how hidden instructions embedded in untrusted web content can manipulate model behavior and steer users into credential theft or data exposure. Cato Networks disclosed WebPromptTrap in BrowserOS, where malicious webpage content abused Agent Chat Mode summarization to insert a convincing call to action and attacker-selected link; in the proof of concept, victims could be pushed into a GitHub authorization flow that exposed access tokens and repository access. Cato said the issue affected BrowserOS 0.30.0 and earlier, was identified in 0.29.0, and was fixed in 0.32.0 after responsible disclosure.
Separate reporting described similar risks in OpenAI's ChatGPT Atlas browser and in Microsoft Copilot, underscoring that the problem extends beyond a single product. LayerX said Atlas could be fed malicious instructions through web content in a "tainted memories" attack, while Axios, TechSpot, and commentary from OpenAI CISO Dane Stuckey highlighted broader security and privacy concerns around prompt injection in AI browsers. Varonis also detailed Reprompt, a single-click Copilot attack that could silently exfiltrate personal data. Together, the disclosures show that AI systems that summarize pages, retain context, or act on behalf of users can be turned into phishing and data-theft intermediaries unless untrusted content is strictly isolated from model instructions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
SafeBreach discloses prompt injection attack on Google Gemini notifications
SafeBreach disclosed an indirect prompt injection technique affecting Google Gemini's notification summarization and voice assistant features, showing how hidden instructions in muted hyperlinks or invisible foreign-language text could misrepresent messages and potentially trigger unauthorized actions. The researchers said Google was notified through responsible disclosure and deployed content-classifier updates; the article said there was no evidence of in-the-wild exploitation.
Permiso discloses ChatGPhish prompt injection in ChatGPT page summaries
Permiso published research on 'ChatGPhish,' a browser-based prompt injection technique in which attacker-controlled webpage text influences ChatGPT's page summarization output and causes phishing links, QR codes, spoofed alerts, and remote image fetches to appear inside the trusted ChatGPT interface. The researchers said they reported the issue to OpenAI via Bugcrowd in late April and early May 2026 before publishing their findings.
Cato publicly discloses WebPromptTrap indirect prompt injection technique
Cato published details of WebPromptTrap, including a proof of concept showing how a manipulated AI-generated summary could steer a victim into a malicious GitHub authorization flow that yields access tokens and repository access. The researchers warned the same attack pattern could be adapted to other enterprise roles and SaaS platforms such as ERP, HR, payroll, CRM, and service management systems.
BrowserOS team fixes WebPromptTrap in version 0.32.0
After responsible disclosure from Cato, the BrowserOS team remediated the WebPromptTrap issue in BrowserOS 0.32.0. Cato said the vulnerability affected BrowserOS 0.30.0 and earlier.
BrowserOS vulnerable to WebPromptTrap in version 0.29.0
Cato researchers identified an indirect prompt injection issue in BrowserOS while testing version 0.29.0. The flaw abused Agent Chat Mode page summarization by embedding hidden instructions in untrusted webpage content.
Brave discloses screenshot-based prompt injections in Comet
Brave published research describing 'unseeable prompt injections in screenshots' affecting its Comet AI browser and possibly other AI browsers. The disclosure introduced a distinct prompt-injection technique using screenshot content rather than hidden webpage text.
ChatGPT Operator prompt injection exploits and defenses discussed
A reference published on 2025-02-17 documented prompt injection exploit scenarios and defensive considerations for ChatGPT Operator. This is a distinct earlier development in the broader prompt-injection story, separate from Cato's later BrowserOS WebPromptTrap findings.
Slack AI data exfiltration via indirect prompt injection disclosed
A reference published on 2024-08-20 documented how indirect prompt injection could be used to exfiltrate data from Slack AI. The disclosure added another concrete example of prompt-injection abuse affecting enterprise AI assistants.
GitHub Copilot Chat prompt injection data exfiltration disclosed
A June 2024 reference documented how prompt injection against GitHub Copilot Chat could be used to exfiltrate data, marking an earlier concrete example of prompt-injection abuse in AI coding assistants. This predates the ChatGPT Operator and BrowserOS prompt-injection developments already in the timeline.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
19 references tracked. Mallory keeps watching after this page renders.
Researcher Warns of ‘ChatGPhish’ Vulnerability That Could Turn Web Summaries Into Phishing Attacks - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceMalicious Notifications Could Trick Google Gemini Users
darkreading.com
Open sourcePrompt-inject ChatGPT with any web page - Pivot to AI
pivot-to-ai.com
Open sourceResearchers Show How ChatGPT Summaries Could Be Used for Phishing Attacks - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceChatGPT Operator: Prompt Injection Exploits & Defenses
simonwillison.net
Open sourceData Exfiltration from Slack AI via indirect prompt injection
simonwillison.net
Open sourceGitHub Copilot Chat: From Prompt Injection to Data Exfiltration
simonwillison.net
Open sourceLet ChatGPT visit a website and have your email stolen
simonwillison.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Prompt Injection Risks in Agentic AI and AI-Powered Browsers
Security researchers reported that **prompt injection** is enabling practical attacks against *agentic AI* systems that have access to tools and user data, and argued the industry is underestimating the threat. A proposed framing, **“promptware,”** describes malicious prompts as a malware-like execution mechanism that can drive an LLM to take actions via its connected tools—potentially leading to **data exfiltration**, cross-system propagation, IoT manipulation, or even **arbitrary code execution**, depending on the permissions and integrations available. Trail of Bits disclosed results from an adversarial security assessment of Perplexity’s *Comet* browser, showing how prompt injection techniques could be used to **extract private information from authenticated sessions (e.g., Gmail)** by abusing the browser’s AI assistant and its tool access (such as reading page content, using browsing history, and interacting with the browser). Their threat-model-driven testing emphasized that agentic assistants can treat external web content as instructions unless it is explicitly handled as **untrusted input**, and they published recommendations intended to reduce prompt-injection-driven data paths between the user’s local trust zone (profiles/cookies/history) and vendor-hosted agent/chat services.
Mar 21, 2026
Prompt Injection and Persistent Memory Exploits in AI-Powered Browsers
Researchers have identified critical security vulnerabilities in several AI-powered browsers, including OpenAI's Atlas and other emerging platforms such as Comet and Fellou. These browsers, which allow AI agents to perform actions on behalf of users, are susceptible to prompt injection attacks—where hidden or malicious instructions embedded in web content are executed by the AI. In documented cases, attackers were able to hide commands in web pages or images, leading the browser to perform unauthorized actions such as extracting email subject lines and exfiltrating data to attacker-controlled sites, all without user confirmation. A particularly severe exploit targets the persistent memory feature of the ChatGPT Atlas browser, introduced by OpenAI to personalize user experiences. By chaining a cross-site request forgery (CSRF) vulnerability with a memory write, attackers can inject malicious instructions that persist across sessions, devices, and even different browsers. This allows for ongoing compromise, including privilege escalation, malware deployment, and account takeover, unless users manually clear the tainted memory. The persistence and stealth of these attacks significantly elevate the risk profile for users of AI-enabled browsers, highlighting the urgent need for robust security controls and user awareness around prompt injection threats.
Apr 9, 2026
Prompt Injection Attacks Abuse AI Agent Memory and Link Previews for Manipulation and Data Exfiltration
Security researchers reported multiple **prompt-injection-driven attack paths** that exploit how AI assistants and agentic systems process untrusted content. Microsoft researchers described **AI recommendation/memory poisoning** (mapped in MITRE ATLAS as **`AML.T0080: Memory Poisoning`**) in which attackers insert instructions that cause an assistant to persistently “remember” certain companies, sites, or services as trusted or preferred, shaping future recommendations in later, unrelated conversations. Observed activity over a 60-day period included **50 distinct prompt samples** tied to **31 organizations across 14 industries**, with potential downstream impact in high-stakes domains like health, finance, and security where manipulated recommendations can mislead users without obvious signs of tampering. A separate finding highlighted how **AI agents embedded in messaging apps** can be coerced into leaking secrets via **malicious link previews**. PromptArmor demonstrated that an attacker can use chat-based prompt injection to trick an AI agent into generating an attacker-controlled URL that includes sensitive data (e.g., API keys) as parameters; when messaging platforms (e.g., Slack/Telegram) automatically fetch **link preview** metadata, the preview request can become a **zero-click exfiltration channel**—no user needs to click the link for the data-bearing request to be sent. Together, the reports underscore that agent features intended to improve usability—*persistent memory*, URL-based prompt prepopulation (e.g., “Summarize with AI” buttons), and automatic preview fetching—can be repurposed into scalable manipulation and data-loss mechanisms when untrusted prompts are processed implicitly.
Mar 21, 2026