Man-in-the-prompt attacks: how to stop browser extensions from hijacking your AI conversations
Any browser extension can silently inject commands into ChatGPT, Gemini, and Claude. Here's how man-in-the-prompt attacks work and how to stay safe.
You probably trust most of your browser extensions. You probably also use ChatGPT, Gemini, or Claude every day. Here's the uncomfortable part: researchers at LayerX Security disclosed in late July 2025 that any extension you've installed — even ones that didn't ask for a single special permission — can silently read, rewrite, and inject hidden instructions into every AI conversation you have. They're calling it "Man-in-the-Prompt," and it potentially affects billions of users across every major AI platform.
What is a man-in-the-prompt attack?
The idea behind man-in-the-prompt is deceptively simple, and that's exactly why it's so dangerous.
Every major GenAI tool — ChatGPT, Google Gemini, Anthropic's Claude, Microsoft Copilot, DeepSeek — renders your prompts as regular HTML elements in your browser's DOM (Document Object Model). That's the same DOM tree that any browser extension can access through a basic content script. No tabs permission needed. No webRequest API. No scary permission warnings during install. Just standard DOM access that virtually every content-injecting extension already has.
According to LayerX senior researcher Aviad Gispan, "any browser extension with scripting access to the DOM can read from, or write to, the AI prompt directly." In practical terms, that means a compromised or malicious extension can see everything you type into an AI tool and silently modify it before the AI even processes your request. It can also read every response the AI sends back.
As SecurityWeek reported, the attack was confirmed against the five largest GenAI platforms ranked by monthly traffic: ChatGPT (5 billion visits/month), Gemini (400 million), DeepSeek (275 million), Copilot (160 million), and Claude (115 million). The sheer scale of potentially affected users is staggering.
How the attack works in practice
LayerX published two proof-of-concept attacks that show what this looks like in the real world. Neither is theoretical — both were demonstrated against production AI tools.
PoC #1: Silent ChatGPT data exfiltration. A compromised extension receives a command from a command-and-control server. It opens a background tab to ChatGPT, submits a query designed to extract information, collects the AI's response, sends the data to an external server, and then deletes the entire chat from your history. You'd never see a notification. There'd be no trace in your chat list. The whole operation happens in a tab you didn't open and can't see.
PoC #2: Gemini Workspace data theft. This one is particularly alarming if you use Google Workspace. The extension silently queries Gemini — which has native access to your Gmail inbox, Google Contacts, Drive files, and Google Docs — and asks it to pull out specific data. Because Gemini is deeply integrated with your workspace, the AI readily provides email contents, contact lists, and documents. The extension just needed DOM access to talk to Gemini on your behalf. No OAuth tokens stolen, no API keys compromised. Just DOM manipulation.
What makes this harder to detect is that the Chrome Web Store already hosts legitimate extensions that do exactly this kind of prompt manipulation. Tools like Prompt Archer, Prompt Manager, and PromptFolder openly modify AI prompts as their core feature. They pass Chrome's review process because prompt manipulation is their stated purpose. A malicious extension doing the same thing wouldn't look any different to an automated review system.
Why this matters more than you think
If you use AI tools for personal brainstorming or casual questions, this is already bad. But for anyone working in an enterprise environment, the implications jump to a completely different level.
According to LayerX's research, 99% of enterprise users have at least one browser extension installed. Over half — 53% — have more than ten. Now consider that many organizations have deployed internal LLMs trained on their most sensitive assets: proprietary source code, legal documents, M&A strategy, financial forecasts, customer data. A single compromised extension could silently query that internal AI and extract proprietary information without triggering any existing security alerts.
The attack also sidesteps virtually every enterprise security tool currently deployed. CASBs (Cloud Access Security Brokers), Secure Web Gateways, and endpoint DLP solutions all lack visibility into DOM-level manipulations inside browser tabs. These tools inspect network traffic and file access patterns, but they can't see an extension reading text from a webpage's DOM elements. The attack happens entirely inside the browser's rendering engine, in a layer that most security stacks simply don't monitor.
Google was notified through responsible disclosure. But there's no quick architectural fix on the horizon. The fundamental tension is that GenAI tools need the DOM to render conversations, and extensions have legitimate reasons to access the DOM. Browsers haven't resolved this conflict, and it's unclear when they will.
The bigger pattern: AI tools as an extension attack surface
Man-in-the-prompt isn't an isolated finding. It's part of a growing body of research showing that AI tools have become prime targets for extension-based attacks.
Over the past few months, I've been tracking a clear escalation. Fake AI extensions impersonating ChatGPT and Gemini stole credentials from hundreds of thousands of users. Prompt Poaching campaigns harvested nearly a million users' AI conversations. And now, with man-in-the-prompt, researchers have shown that the attack doesn't even require a purpose-built malicious extension — any already-compromised extension can pivot to AI data theft with minimal effort.
The common thread is that AI tools process and display sensitive information in the browser, and browser extensions have broad access to that same environment. As more people rely on AI for work — writing emails, summarizing legal documents, generating code, analyzing financial data — the value of intercepting those conversations keeps going up. Attackers have noticed.
For enterprises, this creates a particularly nasty gap. Organizations spend heavily on securing their cloud infrastructure, their endpoints, and their network perimeters. But the browser — where employees increasingly do their most sensitive AI-powered work — remains largely unmonitored at the extension level. The man-in-the-prompt research makes that gap impossible to ignore.
How to protect yourself
I can't sugarcoat this — there's no perfect defense right now. But here are five steps that meaningfully reduce your risk.
1. Audit your extension list right now
Go through every extension installed across all your browsers. If you don't actively use something, remove it. Every extension is a potential attack surface for man-in-the-prompt exploitation, even if it never asked for special permissions. You can look up any extension on Extenshi's catalog to check its security profile, permission usage, and risk indicators before deciding whether to keep it.
2. Scrutinize content script permissions
When reviewing extensions, pay close attention to content script declarations. Any extension that says "can read and change all your data on all websites" or targets broad URL patterns has the DOM access needed for this attack. Some extensions legitimately need broad access — ad blockers, for example — but many request it unnecessarily. If an extension only needs to work on one site, it shouldn't have access to every site.
3. Use a clean browser profile for AI work
Create a dedicated browser profile with zero extensions for your AI conversations. Chrome, Firefox, and Edge all support multiple profiles. It takes about 30 seconds to set up and completely eliminates the man-in-the-prompt attack surface for that profile. This is probably the single most effective mitigation available today. If you manage a team, consider making this a standard recommendation — a designated "AI-only" profile that your security policy requires for working with sensitive prompts.
4. Prefer desktop apps or API access for sensitive work
If you regularly work with sensitive data in AI tools, consider using the provider's desktop application or direct API access instead of the browser interface. Desktop apps aren't exposed to browser extensions. API access goes through authenticated endpoints that extensions can't intercept through DOM manipulation. This isn't practical for every use case, but for the most sensitive workflows, it's worth the trade-off.
5. Be cautious with "AI enhancer" extensions
Extensions that advertise "prompt management," "AI enhancement," or "prompt templates" inherently possess the exact capability that makes man-in-the-prompt attacks possible. That's not automatically malicious, but it means you're trusting that extension with every single thing you type into an AI tool and everything the AI says back. Only install these from developers with an established track record, and check their security reports on Extenshi first.
What you can do right now
The man-in-the-prompt attack isn't theoretical. The proof-of-concept code works against production AI platforms that billions of people use daily. And the uncomfortable truth is that the extensions enabling it look identical to legitimate ones from the outside.
The one thing you can control is what extensions you allow to run alongside your AI tools. Every extension you remove is one less potential vector. Every extension you audit is one more you can trust with confidence.
Scan your extensions on Extenshi
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
Browser AI panel hijacking: how to check which of your Chrome extensions can abuse elevated privileges
CVE-2026-0628 showed extensions with basic permissions could access your camera, mic, and files via Chrome's Gemini panel. Here's how to stay safe.
300+ malicious Chrome extensions with 37 million downloads: how to check if you're affected
Security researchers exposed 300+ malicious Chrome extensions with 37.4M downloads stealing data, credentials, and emails. Here's how to protect yourself.