Browser extensions expose a new prompt injection path for GenAI

At a glance

What this is: This analysis explains how browser extensions can turn GenAI web apps into prompt-injection and data-exfiltration targets through DOM access.

Why it matters: It matters because IAM, DLP, and CASB controls do not see browser-level prompt manipulation, leaving both internal and commercial AI use exposed to silent abuse.

By the numbers:

• 99% of enterprise users have at least one browser extension installed in their browsers.
• 53% have more than 10 extensions.

👉 Read LayerX Security's analysis of man-in-the-prompt attacks on GenAI tools

Context

Browser-based GenAI tools inherit the trust model of the browser, not just the model. When a prompt lives in the page DOM, any extension with scripting access can read it, alter it, or copy the response, which turns everyday browser add-ons into a governance problem for AI access and data handling.

For IAM teams, the issue is not whether the model is public or internal. The problem is that a user session with legitimate access can be hijacked at the browser layer, bypassing controls that were designed for authenticated applications, not invisible prompt tampering inside the client runtime.

This is why browser extension governance now sits alongside NHI and AI usage governance. The same user can be authenticated correctly while their AI session is silently manipulated, which creates a gap between identity assurance and actual data-control enforcement.

Key questions

Q: How should security teams govern browser extensions that access GenAI tools?

A: Treat extensions as part of the AI access path, not as harmless add-ons. Review which extensions can script pages, monitor how they interact with prompts and responses, and block tools that can manipulate GenAI sessions without a clear business need. Permission checks alone are insufficient because the risky behaviour often appears at runtime, inside the browser session itself.

Q: Why do browser-based GenAI tools create more risk than many IAM teams expect?

A: Because the session can be legitimate while the interaction is malicious. A user may authenticate correctly, yet a browser extension can still read prompts, inject hidden instructions, and exfiltrate results from the page. IAM proves the user is signed in, but it does not by itself prove the browser interaction is trustworthy.

Q: What breaks when prompt injection happens through a browser extension?

A: The normal control stack loses visibility into the attack. URL filtering, CASB, and DLP are unlikely to detect DOM-level prompt changes or hidden background queries, so the organisation can miss data theft that happens entirely inside the user’s active session. The failure is observability, not authentication.

Q: Who should be accountable for extension-driven AI data loss?

A: Shared accountability is needed across identity, endpoint, and AI governance teams. IAM owns access policy, endpoint teams own browser control posture, and AI governance owns the rules for sensitive prompts and internal copilots. If extensions can alter prompts invisibly, no single control domain can claim complete coverage.

Technical breakdown

How DOM-level prompt access enables man-in-the-prompt attacks

Most browser-hosted GenAI tools render the prompt box inside the page DOM, which means extensions can interact with it as if they were part of the page itself. A malicious or compromised extension can read the prompt, modify the text before submission, and capture the response after it returns. That is different from model compromise. The model may behave normally, but the browser session becomes the attack surface. Because the extension operates inside the user’s session context, the abuse looks like legitimate interaction unless the browser layer is monitored directly.

Practical implication: Inspect browser activity around GenAI tools instead of relying only on URL filtering or downstream DLP.

Why internal copilots are more exposed than many teams assume

Internal LLMs often have access to confidential material such as source code, legal documents, HR data, or product plans. The risk comes from freeform querying combined with broad user permissions and weak visibility into what the browser is doing to the page. If a compromised extension injects a hidden query, the model can return sensitive content that the user was already authorized to see, even though the user never intended to ask for it. The boundary failure is in the interaction layer, not in the model itself.

Practical implication: Classify internal AI tools as sensitive data interfaces and review them for browser-session abuse paths.

Why extension permissions are a poor proxy for risk

LayerX’s proof of concept showed that even extensions without special permissions can still access and manipulate AI prompts if they can script the page. That breaks the usual assumption that permission review alone is enough to assess browser add-ons. Static allowlists miss the problem because the relevant capability is DOM interaction, not an obvious permission flag. In practice, the extension’s trustworthiness depends on runtime behaviour, publisher reputation, and whether it can alter AI sessions in ways the security stack cannot observe.

Practical implication: Move from permission-only reviews to behavioural extension assessment for any browser that reaches GenAI tools.

Threat narrative

Attacker objective: The attacker aims to use the user’s trusted GenAI session to extract sensitive corporate data without triggering conventional browser or SaaS controls.

1. Entry occurs when a user installs a compromised or risky browser extension that can script the page hosting the GenAI tool.
2. Escalation happens when that extension reads the prompt, inserts hidden instructions, and submits queries from within the user’s authenticated session.
3. Impact follows when the extension exfiltrates model output and deletes traces, turning the AI interface into a covert data channel.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser-level prompt control is now an identity problem, not just an application problem. The article shows that a validly authenticated user can still have their GenAI session manipulated by a browser extension that operates inside the same session context. That moves the trust boundary from the model to the browser, where conventional IAM, SWG, and DLP tooling have far less visibility. Practitioners should treat the browser as part of the identity enforcement surface.

Prompt tampering creates an identity blast radius that extends beyond the model itself. Once an extension can read and rewrite prompts, the user’s authority becomes a vehicle for data extraction rather than a safeguard. The same access that lets a worker query documents or summarise email can be repurposed to enumerate sensitive material, which means access governance must account for client-side manipulation, not only backend entitlements. Security teams need to think in terms of session abuse, not just account compromise.

High-trust AI access becomes fragile when the interaction layer is invisible. Internal copilots often assume trusted use, but the article demonstrates that trust can be broken without any obvious permission escalation or model jailbreak. That means organisations are over-relying on the assumption that a signed-in session is a trustworthy session. The practical conclusion is that control design must extend into browser behaviour, because authenticated access alone does not prove safe AI use.

Browser extension governance is now part of GenAI governance. The 99% installation rate for browser extensions means this is not a niche edge case but a default enterprise condition. Where teams previously focused on model policy, data loss prevention, or SaaS access, they now need to evaluate how extensions interact with prompts, responses, and hidden automation inside the page. This should reshape policy, review, and monitoring priorities across AI, endpoint, and identity teams.

Man-in-the-prompt is a named concept for a real governance gap. It describes the point where browser scripting, prompt access, and session authority intersect to bypass the assumptions behind application-level controls. That gap matters because it turns legitimate user access into covert extraction capacity. Practitioners should recognise the concept as a control-design failure, not as a model-only vulnerability.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to The State of Non-Human Identity Security.
• For a broader governance lens, see 52 NHI Breaches Analysis for recurring patterns in identity exposure and abuse.

What this signals

Man-in-the-prompt is a browser governance problem that will keep widening as GenAI adoption spreads. The practical response is to treat browser extensions, prompt surfaces, and internal copilots as one control plane, because the attacker only needs one weak client-side entry point. Teams that rely on URL blocks or standard DLP will miss the path entirely.

With 99% of enterprise users already running at least one extension, according to LayerX Security, the default browser posture is not a peripheral issue but an enterprise-wide identity exposure surface. That makes extension governance, runtime inspection, and prompt-aware monitoring part of the baseline programme for AI adoption.

If your organisation is formalising AI usage policy now, align it with endpoint controls and browser restrictions at the same time. The most useful next step is to define which extensions are allowed to interact with GenAI tools and which must be isolated from sensitive workflows.

For practitioners

• Audit browser extensions that can reach GenAI tools Inventory extensions on endpoints that access ChatGPT, Gemini, Copilot, or internal copilots, then flag any add-on that can script page content or interact with AI prompts.
• Classify GenAI browser sessions as sensitive data paths Apply tighter monitoring to AI web apps used for source code, legal content, HR records, and customer data, because prompt exfiltration can happen inside a normal authenticated session.
• Shift extension review from permissions to behaviour Do not rely on permission-only scoring. Combine publisher reputation, runtime inspection, and sandboxing to detect extensions that can alter prompts or hide their activity.
• Monitor for hidden prompt injection and response exfiltration Add browser-layer controls that watch for DOM changes, unexpected background tabs, deleted chat traces, and unusual outbound calls linked to GenAI use.

Key takeaways

• Browser extensions can turn legitimate GenAI sessions into covert extraction channels, which means the browser now sits inside the AI trust boundary.
• The scale is broad enough to matter operationally, because 99% of enterprise users already have at least one browser extension installed.
• The control gap is not just missing permissions, but missing visibility into DOM-level prompt manipulation and response exfiltration.

Key terms

• Man in the prompt: A browser-side attack pattern where an extension or script reads, changes, or reuses a GenAI prompt inside the user’s session. The model itself may be healthy, but the interaction channel is compromised, allowing silent data extraction or instruction injection.
• Browser extension risk: The security exposure created when browser add-ons can observe or alter page content, including AI prompts and responses. In GenAI environments, the risk is not limited to permissions. Runtime behaviour inside the browser can be enough to steal information or manipulate output.
• Prompt injection: An attack that inserts hidden or malicious instructions into an AI interaction so the model behaves in a way the user did not intend. In browser-hosted tools, prompt injection can happen through the page itself, making it hard for traditional controls to detect.
• Session exfiltration: The theft of data from an active authenticated session by abusing the session’s own tools and permissions. For GenAI, this means a user can appear properly logged in while the browser quietly forwards prompts or model output elsewhere.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by LayerX Security: Top 5 GenAI Tools Vulnerable to Man-in-the-Prompt Attack, Billions Could Be Affected. Read the original.