AI Security - New Font-Rendering Attack Exposed
Basically, attackers hide harmful commands in web pages so AI tools can't see them.
A new font-rendering attack has been uncovered, allowing malicious commands to bypass AI assistants. This poses serious risks to users who trust these tools. Stay alert and verify commands before executing them.
What Happened
A new font-rendering attack has been discovered, allowing malicious commands to bypass AI assistants. Researchers at LayerX created a proof-of-concept demonstrating how attackers can use customized fonts and CSS to hide harmful instructions within seemingly harmless HTML. This technique relies heavily on social engineering, tricking users into executing commands that could compromise their systems.
The attack exploits the difference between how AI assistants analyze webpages and how browsers render them. While AI tools only see the structured text, users view a visual representation that can include malicious content. This disconnect can lead to dangerous recommendations from AI assistants, as they fail to recognize the hidden threats embedded in the webpage's design.
Who's Affected
As of December 2025, multiple popular AI assistants were vulnerable to this attack, including ChatGPT, Claude, and Copilot. Users of these platforms may unknowingly execute harmful commands, believing them to be safe due to the AI's reassuring responses. The potential for widespread exploitation raises concerns about the effectiveness of current safeguards in AI systems.
LayerX's findings indicate that this attack could significantly undermine user trust in AI technologies. If users cannot rely on AI assistants to accurately assess the safety of commands, they may hesitate to use these tools altogether, impacting the adoption of AI solutions across various sectors.
What Data Was Exposed
The primary risk associated with this attack is the exposure of sensitive commands that can lead to malicious actions, such as executing a reverse shell on the victim's machine. The hidden commands are encoded in a way that makes them unreadable to AI tools but visible to users. This means that while the AI assistant might only report benign content, the user could be executing harmful instructions without realizing it.
LayerX's report emphasizes that the attack does not require a significant breach of data but instead manipulates the existing trust users place in AI assistants. This manipulation can lead to a variety of security incidents, depending on the nature of the commands executed by the user.
What You Should Do
To protect yourself from this emerging threat, users should exercise caution when interacting with AI assistants and executing commands from web pages. It's crucial to verify the safety of instructions independently rather than relying solely on AI assessments. LayerX recommends that AI vendors enhance their systems by analyzing both the rendered page and the underlying HTML to better detect discrepancies that could indicate malicious intent.
Additionally, users should be aware that AI tools may not have safeguards against all forms of social engineering. As a best practice, always question the legitimacy of commands, especially those promising rewards or incentives. By staying informed and vigilant, users can mitigate the risks associated with such attacks.