Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Man-in-the-prompt attacks: are browser controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Browser extensions with no special permissions can read and alter GenAI prompts, inject hidden instructions, and exfiltrate results across tools such as ChatGPT and Gemini, with 99% of enterprise users already running at least one extension, according to LayerX Security. The security problem is no longer just model abuse; it is browser-level identity and session trust collapse.

NHIMG editorial — based on content published by LayerX Security: Top 5 GenAI Tools Vulnerable to Man-in-the-Prompt Attack, Billions Could Be Affected

By the numbers:

Questions worth separating out

Q: How should security teams govern browser extensions that access GenAI tools?

A: Treat extensions as part of the AI access path, not as harmless add-ons.

Q: Why do browser-based GenAI tools create more risk than many IAM teams expect?

A: Because the session can be legitimate while the interaction is malicious.

Q: What breaks when prompt injection happens through a browser extension?

A: The normal control stack loses visibility into the attack.

Practitioner guidance

  • Audit browser extensions that can reach GenAI tools Inventory extensions on endpoints that access ChatGPT, Gemini, Copilot, or internal copilots, then flag any add-on that can script page content or interact with AI prompts.
  • Classify GenAI browser sessions as sensitive data paths Apply tighter monitoring to AI web apps used for source code, legal content, HR records, and customer data, because prompt exfiltration can happen inside a normal authenticated session.
  • Shift extension review from permissions to behaviour Do not rely on permission-only scoring.

What's in the full article

LayerX Security's full article covers the operational detail this post intentionally leaves for the source:

  • Proof-of-concept walkthroughs showing how a compromised extension injects prompts, reads outputs, and deletes traces
  • Detailed examples of how the Gemini Workspace integration exposes emails, docs, contacts, and shared folders through the browser session
  • Specific browser-layer mitigation ideas, including behavioural extension scoring and prompt tampering detection
  • The article's full breakdown of why standard CASB, SWG, and DLP controls miss DOM-level abuse

👉 Read LayerX Security's analysis of man-in-the-prompt attacks on GenAI tools →

Man-in-the-prompt attacks: are browser controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Browser-level prompt control is now an identity problem, not just an application problem. The article shows that a validly authenticated user can still have their GenAI session manipulated by a browser extension that operates inside the same session context. That moves the trust boundary from the model to the browser, where conventional IAM, SWG, and DLP tooling have far less visibility. Practitioners should treat the browser as part of the identity enforcement surface.

A few things that frame the scale:

A question worth separating out:

Q: Who should be accountable for extension-driven AI data loss?

A: Shared accountability is needed across identity, endpoint, and AI governance teams. IAM owns access policy, endpoint teams own browser control posture, and AI governance owns the rules for sensitive prompts and internal copilots. If extensions can alter prompts invisibly, no single control domain can claim complete coverage.

👉 Read our full editorial: Browser extensions expose a new prompt injection path for GenAI



   
ReplyQuote
Share: