Hackers Exploit AI Assistant Vulnerabilities through Secret Websites
Threat Actors Exploit Hidden Website Instructions to Target AI Assistants
Cybersecurity researchers have uncovered a new type of attack that uses hidden website instructions to exploit AI assistants such as GitHub Copilot.
The Method: Indirect Prompt Injection (IPI)
The method involves hiding secret commands on ordinary websites that are only visible to the AI agents. These agents, designed to assist humans, cannot distinguish between the data they read and the instructions they follow, making them vulnerable to exploitation.
How IPI Works
- An attacker hides instructions within a website’s content, which the AI agent then reads and follows as legitimate commands.
- This vulnerability, known as a missing data-instruction boundary, allows the attacker to execute malicious actions without being detected.
“The attackers are exploiting the trust that users have placed in AI assistants,” said a researcher at Forcepoint. “They’re using the AI’s own strengths against it.”
Methods Used by Attackers
- Small font sizes
- Transparent colors
- HTML comments
- Metadata tags
- Accessibility features and CSS tricks
Implications of IPI
- Financial fraud
- Data wiping
- System spoofing
- Stealing API keys
- Distributed Denial-of-Service (DDoS) attacks
The researchers found ten instances of IPI on real websites during April 2026.
About Author
English