Man-in-the-Prompt: The Attack Threatening ChatGPT and AI Systems

A new threat is raising red flags in the cybersecurity world: it’s called Man-in-the-Prompt, and it sounds as stealthy as it really is. This type of attack can slip into conversations with generative AI tools like ChatGPT, Gemini, Copilot, or Claude—without requiring advanced techniques or complex security breaches. The most unsettling part? All it takes is a simple browser extension.

According to a recent study by LayerX, even extensions without special permissions can access what you type into language models, manipulate messages in the background, inject malicious commands, and even leak sensitive information—all without raising any suspicion. The tests included the main models on the market, with concrete demonstrations of how both ChatGPT and Gemini can be compromised.

What is Man-in-the-Prompt and Why Should You Care?

Man-in-the-Prompt (MitP) is the name of a new type of attack that challenges the way we interact with artificial intelligence tools like ChatGPT, Gemini, Copilot, or Claude. Unlike traditional cyberattacks that rely on complex technical vulnerabilities, this attack is based on something much simpler (and therefore, more alarming): the text field where you write your messages to the AI.

When you use an AI chatbot in your browser, everything you type goes through an HTML structure visible from the DOM (Document Object Model). This means that any extension installed in your browser can access, modify, or rewrite what you're about to send—without your knowledge. And it doesn't need special permissions or elevated access: it just needs to be there.

How Does the Man-in-the-Prompt Attack Work?

The process is as simple as it is effective:

1. You open ChatGPT (or any other AI) in your browser.

2. A malicious extension reads the text you're typing.

3. That message is modified in real time: it may include hidden instructions or extract information from the AI’s response.

4. You receive a reply that looks normal, but in reality, your conversation has already been manipulated or exposed.

And yes, this type of attack has been proven to work on all major AI tools, including:

1. ChatGPT (OpenAI)

2. Gemini (Google)

3. Copilot (Microsoft)

4. Claude (Anthropic)

5. DeepSeek (Chinese AI model)

Attack Chain (Source: LayerX)

Read more: LunaSpy: The Fake Antivirus Spying on Your Phone

Why Is It So Dangerous?

The real danger of this attack lies in its invisible nature. The user doesn’t notice anything unusual, and traditional security systems—like firewalls or antivirus software—don’t either. Here are some of the specific risks it poses:

Theft of Sensitive Data

If your company uses AI to review source code, draft internal documents, or process financial data, all that information can be intercepted without anyone realizing it.

Manipulation of AI Behavior

An injected prompt can completely alter how the AI responds, biasing results or even producing replies that would normally be blocked.

Evasion of Security Controls

Since the attack happens before the message ever reaches the AI server, it bypasses security filters like proxies, DLPs (Data Loss Prevention), and other corporate systems. According to the LayerX report, 99% of enterprise users have at least one extension installed in their browser. That simple fact exponentially increases the attack surface.

What Is Prompt Injection and Why Does It Matter?

The Man-in-the-Prompt attack is actually a form of what’s known as prompt injection. This technique has already been recognized as one of the most serious threats to AI systems and is listed in the OWASP Top 10 LLM 2025.

What’s especially concerning is that these injections don’t have to come from an experienced hacker. They can be hidden in:

1. Emails with concealed instructions

2. Comments in shared documents

3. Support tickets with carefully crafted text

For example:

1. A business chatbot that processes customer messages could be manipulated to reveal internal information if it doesn’t properly filter instructions.

2. An AI assistant reading emails could be tricked into sending data to a third party if it encounters a hidden command in the message body.

What Can You Do to Protect Yourself?

For Individual Users:

1. Regularly review which extensions you have installed. If you’re not using one, remove it.

2. Only install extensions from trusted sources (check reviews and permissions).

3. Adjust each extension’s permissions: if it doesn’t need access to page content, disable it.

For Businesses:

1. Monitor and control which extensions can be installed on corporate devices.

2. Isolate AI environments from sensitive data, especially for critical tasks.

3. Implement security tools that monitor the DOM in real time to detect manipulations before they reach the server.

4. Conduct security testing focused on prompt injection, simulating these types of attacks to assess your level of exposure.

Read more: Web Pentesting: How to perform effective pentesting on your website?

What Lessons Can We Learn from All This?

This type of attack forces us to rethink how we approach security in AI systems. It's not enough to protect the model or the cloud server. We also need to secure the interface where the interaction happens—which is often as simple as a text field in the browser.

The research makes one thing clear: in the age of artificial intelligence, security doesn’t start in the backend… it starts in the most unexpected place—your browser.