Font Rendering Trick Conceals Malicious Commands from AI-powered Tools
Researchers Discover New Attack Vector
Researchers have discovered a novel technique that allows attackers to conceal malicious commands from artificial intelligence (AI) tools by leveraging a font-rendering trick. This method exploits the disconnect between how AI assistants analyze webpages as structured text and how browsers render them visually.
Exploiting the Disconnect between AI Assistants and Browser Rendering
The attack, demonstrated by security researchers at LayerX, uses custom fonts that employ glyph substitution to remap characters. Additionally, the technique utilizes CSS to conceal benign text through small font sizes or specific color selections, while displaying the malicious payload clearly on the webpage. As a result, AI tools analyzing the page’s HTML see only the harmless text, but fail to detect the malicious instruction rendered to the user in the browser.
Testing and Results
During testing, the researchers found that this technique was successful against multiple popular AI assistants, including ChatGPT, Claude, Copilot, Gemini, Leo, Grok, Perplexity, Sigma, Dia, Fellou, and Genspark, as of December 2025. The attack begins with a user visiting a webpage that appears safe and promises a reward, which can be obtained by executing a command. If the user asks the AI assistant to verify the safety of the instructions, they will receive a reassuring response.
To demonstrate the attack, LayerX created a proof-of-concept page that promises an Easter egg for the video game Bioshock if the user follows the on-screen instructions. The page’s underlying HTML code includes harmless text hidden from the user but visible to the AI assistant, as well as the malicious instruction that is ignored by the AI tool due to encoding. This allows the assistant to interpret only the benign part of the page and respond incorrectly when asked if the command is safe to run.
Vendor Response and Recommendations
LayerX reported their findings to the vendors of the affected AI assistants on December 16, 2025. However, most vendors classified the issue as out of scope due to requiring social engineering. Microsoft was the only vendor to accept the report and request a full disclosure date, escalating the issue by opening a case in MSRC. Google initially accepted the report but later downgraded and closed the issue, stating that it couldn’t cause significant user harm and was overly reliant on social engineering.
The researchers recommend that users should not blindly trust AI assistants, as they may lack safeguards for certain types of attacks. They suggest that AI assistants analyzing both the rendered page and the text-only DOM, and comparing them, would be better at determining the safety level for the user. Additionally, the researchers provide recommendations to LLM vendors, including treating fonts as a potential attack surface and extending parsers to scan for foreground/background color matches, near-zero opacity, and smaller fonts.
About Author
English