Researcher Florian Port (ERNW) has discovered a critical vulnerability in the integration of AI chatbots within the Firefox browser, which allows for Prompt Injection attacks to steal sensitive information.
What Happened
Attackers can use Prompt Injection attacks via malicious HTML tags on web pages to hijack the AI assistant in Firefox. This enables the extraction of sensitive data, such as 2FA codes from emails, and the covert transmission of this data to external servers.
Context
The issue stems from the lack of a clear trust boundary when passing external data, such as page headers and content, into prompts generated on behalf of the user. As a temporary measure, Mozilla has limited the length of passed headers; however, the fundamental architectural problem of mixing uncontrolled web content with system instructions remains unresolved.
Why It Matters for the Industry
This incident highlights a systemic risk for all application developers using LLMs for summarization or web content processing. The industry needs to rethink how context is passed and implement isolation mechanisms (sandboxing) or specialized layer architectures (Prompt Guarding) to protect system instructions from external data.
Why It Matters for Users
Firefox users should exercise caution when using built-in AI summarization features on suspicious or unknown websites. There is a risk of compromising personal correspondence and accounts through the interception of two-factor authentication codes.
Sources
Author
Look at AI, Editorial Team