Mozilla has been steadily expanding Firefox’s AI capabilities, allowing users to summarize articles, explain text, and proofread content directly from a sidebar powered by third-party chatbots like Copilot and Claude. But a newly disclosed security issue shows how these convenient AI features could potentially be turned against users.

Security researcher Florian Port has detailed a prompt injection vulnerability affecting Firefox’s AI integration, demonstrating how a malicious webpage could trick an AI assistant into accessing sensitive information from connected accounts and sending it to an attacker. This comes after Brave security researchers recently warned of indirect prompt injection attacks against Mozilla Tabstack and Cotypist, two AI-powered products that represent opposite ends of the deployment spectrum.

The issue stems from how Firefox passes information to AI chatbots when users invoke features like webpage summarization. Alongside the selected text, Firefox also includes the page title and instructions explaining what the AI should do with the content.

On paper, that sounds harmless. In practice, it creates an opportunity for abuse.

The problem is that AI models often treat the prompt they receive as trusted user input. If an attacker can manipulate part of that prompt, they may be able to sneak in hidden instructions that the AI follows without the user’s knowledge.

According to the researcher’s proof of concept, the page title is the most practical attack vector. A malicious website can use an unusually long title that appears normal in the browser tab while concealing a prompt injection payload further down the string.

Because browser tabs only display a portion of a page title, users may never notice anything suspicious. The same applies within the chatbot interface, where the hidden instructions can be buried far enough into the generated prompt that they remain out of sight.

Once the AI processes the injected instructions, things can get serious.

In the demonstration, the hidden prompt instructed Microsoft Copilot to retrieve the user’s latest email containing a Booking.com verification code and extract the code from the subject line. The AI then reportedly transmitted that information to an attacker-controlled server through an HTTP request.

the-injection-string-has-been-inserted-into-the-prompt-provided-to-the-model-on-Firefox

While the attack was demonstrated using email metadata rather than full email contents, that distinction offers little comfort. Many online services send one-time login codes and verification codes directly in email subject lines.

That means an attacker may not need access to your inbox itself. If your AI assistant already has permission to interact with connected services, those seemingly harmless pieces of metadata could become a target.

a-request-to-the-attacker-controlled-domain-has-been-made-and-the-login-code-has-been-extracted-successfully-on-Firefox

The good news is that Mozilla has already implemented some mitigations. According to the disclosure, Firefox now limits the length of page titles included in prompts for certain chatbot integrations, making this specific attack significantly harder to execute.

There is also reportedly a bug affecting the summarization feature when used with Copilot, which prevented researchers from reproducing the vulnerability during more recent testing. However, the researcher argues that these changes address the symptom rather than the root cause.

The broader issue is that attacker-controlled content is still being incorporated into prompts that AI systems interpret as coming directly from the user. As AI assistants become more deeply integrated into browsers, operating systems, and productivity tools, this category of prompt injection attack is likely to remain a challenge across the industry.

For now, users can reduce their exposure by limiting the permissions granted to browser-based AI assistants. If a chatbot cannot access your email, calendar, or other personal services, it cannot leak information from them. It’s also wise to avoid using AI summarization features on unfamiliar websites and to keep Firefox updated with the latest security fixes.

The post Firefox AI chatbot flaw could expose your email login codes through a malicious webpage appeared first on PiunikaWeb.