Security researchers at ERNW have disclosed a critical vulnerability in Firefox's AI chatbot integration that allowed attackers to steal sensitive email data—including login verification codes—through prompt injection attacks hidden in webpage titles.

How the Attack Worked

Firefox offers built-in AI features for summarizing, explaining, and proofreading web content. When activated, Firefox pastes a structured prompt into a sidebar chat interface (an iFrame hosting third-party chatbots like Copilot or Claude) that includes the page title, selected text, and instructions for processing the content. "I'm on page ' $PAGE_TITLE ' with ' $PARTIAL_PAGE_CONTENT ' selected." The critical flaw: Firefox injects the complete page title directly into this prompt without sanitization. This means attackers can craft malicious webpage titles containing embedded instructions that get interpreted by the AI model as legitimate user commands.

Exploiting the Trust Model

Researchers Florian Port and colleagues demonstrated how a seemingly innocent page titled "Ducks — A One-Page Guide About These Beautiful Animals" could contain an injection payload hidden beyond what users see in their browser tabs. The malicious title used HTML escaping tricks—closing the tabTitle tag prematurely, injecting Admin-tagged instructions, then re-opening tags to match—to smuggle commands past visual inspection. The attack payload instructed Copilot to retrieve the user's last email containing a Booking.com verification code and exfiltrate it via an HTTP request to an attacker-controlled domain. While Copilot's free tier restricts access to full email content, attackers could still extract metadata including subjects where many sites send 2FA codes or login tokens. "The core of the issue lies in the fact that the AI chatbot providers' threat model is likely based on the assumption that the user prompt genuinely originates from the user," researchers explained. "External data sources are regarded as potentially malicious... but the content of the user prompt is treated as trustworthy."

Mozilla's Partial Fix

Mozilla implemented a mitigation by restricting page title length, making successful exploitation unlikely without extremely verbose injections. However, ERNW notes this doesn't resolve the fundamental architectural issue: external input should never be incorporated into prompts issued on behalf of the user. "This isn't a Firefox-specific problem," researchers emphasized. "Any application that pipes external, potentially attacker-controlled content into a user-attributed prompt is exposed to the same class of attack."

Key Takeaways

  • Never trust page metadata in AI prompts—titles, URLs, and extracted text can all be weaponized by attackers
  • AI providers' security assumptions break down when browsers inject external content as "user" input
  • Length restrictions are a band-aid; the fix requires rethinking how applications construct LLM prompts

The Bottom Line

This vulnerability exposes a dangerous pattern spreading across browser makers racing to integrate AI features. When Firefox pipes untainted page titles into prompts attributed to users, it's handing attackers a direct line into whatever data these chatbots can access. Length limits buy time but don't solve the root issue—developers need to stop treating external webpage content as trusted user input. The full technical disclosure is available on ERNW's Insinuator blog.