TL;DR: Researchers showed that Lenovo’s Lena AI chatbot could be manipulated with simple prompts into leaking session cookies and handing off access to human-support workflows, using HTML, JSON, and plain-text output tricks that resembled old XSS-style abuse, according to Swarmnetics. The case shows that AI productivity tools can create identity and session risks faster than security controls are adapted, especially where output handling and privilege boundaries are weak.
NHIMG editorial — based on content published by Swarmnetics: Lenovo’s Lena AI Chatbot Is a Cautionary Tale About Rapid Adoption
Questions worth separating out
Q: What breaks when an AI chatbot can treat untrusted text as an instruction?
A: The main failure is that the chatbot stops being a responder and starts acting like a control surface.
Q: Why do AI chatbots create session theft risk in customer support flows?
A: Because support flows often combine authenticated browsers, cookies, and human escalation inside one conversation.
Q: What do security teams get wrong about prompt injection in chatbots?
A: They often treat it as a prompt-writing problem when it is really a trust-boundary problem.
Practitioner guidance
- Separate model output from executable workflow logic Do not let chatbot output flow directly into HTML rendering, URL construction, browser navigation, or tool invocation without strict validation and allowlisting.
- Protect session cookies as high-risk credentials Apply HttpOnly, Secure, SameSite, short lifetimes, and rapid revocation for sessions that appear in AI-assisted support journeys.
- Require step-up verification before support handoff When an AI assistant escalates to a human agent, re-authenticate the user and do not inherit the chatbot context as proof of identity.
What's in the full analysis
Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:
- The step-by-step prompt sequence used to steer the chatbot into unsafe output handling and cookie exposure.
- The exact HTML, JSON, and plain-text response pattern that enabled the feedback loop into attacker-controlled instructions.
- The researchers' observations on how the human support handoff expanded the access path beyond the chatbot itself.
- The broader comparison to older injection patterns and why this technique may generalise to other ChatGPT-based deployments.
👉 Read Swarmnetics' analysis of Lenovo's Lena chatbot prompt-injection attack →
Prompt injection in AI chatbots: what it means for IAM teams?
Explore further
Prompt injection is now an identity problem because chatbot trust can be converted into session theft. The important failure is not that the model was fooled, but that the workflow allowed a conversational response to interact with cookie-bearing browser sessions and support escalation. That makes the identity boundary porous, especially where AI assistants sit inside authenticated customer journeys. Practitioners should treat model orchestration as part of the access-control plane.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable when an AI assistant overshares sensitive content?
A: Accountability sits with the team that owns the policy, the attribute feeds, and the enforcement points, because ABAC only works when all three are managed together. If any one of them is missing, the organisation has not built a defensible control path, even if the model itself appears constrained.
👉 Read our full editorial: Lenovo Lena chatbot shows how prompt injection becomes account theft