Man-in-the-prompt attacks: are browser controls keeping up?

TL;DR: Browser extensions with no special permissions can read and alter GenAI prompts, inject hidden instructions, and exfiltrate results across tools such as ChatGPT and Gemini, with 99% of enterprise users already running at least one extension, according to LayerX Security. The security problem is no longer just model abuse; it is browser-level identity and session trust collapse.

NHIMG editorial — based on content published by LayerX Security: Top 5 GenAI Tools Vulnerable to Man-in-the-Prompt Attack, Billions Could Be Affected

By the numbers:

• 99% of enterprise users have at least one browser extension installed in their browsers.
• 53% have more than 10 extensions.

Questions worth separating out

Q: How should security teams govern browser extensions that access GenAI tools?

A: Treat extensions as part of the AI access path, not as harmless add-ons.

Q: Why do browser-based GenAI tools create more risk than many IAM teams expect?

A: Because the session can be legitimate while the interaction is malicious.

Q: What breaks when prompt injection happens through a browser extension?

A: The normal control stack loses visibility into the attack.

Practitioner guidance

• Audit browser extensions that can reach GenAI tools Inventory extensions on endpoints that access ChatGPT, Gemini, Copilot, or internal copilots, then flag any add-on that can script page content or interact with AI prompts.
• Classify GenAI browser sessions as sensitive data paths Apply tighter monitoring to AI web apps used for source code, legal content, HR records, and customer data, because prompt exfiltration can happen inside a normal authenticated session.
• Shift extension review from permissions to behaviour Do not rely on permission-only scoring.

What's in the full article

LayerX Security's full article covers the operational detail this post intentionally leaves for the source:

• Proof-of-concept walkthroughs showing how a compromised extension injects prompts, reads outputs, and deletes traces
• Detailed examples of how the Gemini Workspace integration exposes emails, docs, contacts, and shared folders through the browser session
• Specific browser-layer mitigation ideas, including behavioural extension scoring and prompt tampering detection
• The article's full breakdown of why standard CASB, SWG, and DLP controls miss DOM-level abuse

👉 Read LayerX Security's analysis of man-in-the-prompt attacks on GenAI tools →

Man-in-the-prompt attacks: are browser controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →