MCP and A2A in AI Agent Protocols — Security considerations (III) — Man-in-the-Prompt Attacks

Intro

LayerX researchers have discovered a novel GenAI attack vector known as Man-in-the-Prompt (MitP). It leverages browser extensions to silently inject, manipulate, and exfiltrate data via GenAI tools’ prompt interfaces.

Reference here

The Attack Vector is based on DOM-level manipulation through browser extensions (no special permissions needed). LayerX’s research shows that any browser extension, even without any special permissions, can access the prompts of both commercial and internal LLMs and inject them with prompts to steal data, exfiltrate it, and cover their tracks.

Man in the Prompt

When users interact with an LLM-based assistant, the prompt input field is typically part of the page’s Document Object Model (DOM).

Bad actors can leverage malicious or compromised extensions to perform nefarious activities:

• Perform prompt injection attacks, altering the user’s input or inserting hidden instructions.
• Extract data directly from the prompt, response, or session.
• Compromise model integrity, tricking the LLM into revealing sensitive information or performing unintended actions.

In commercial tools, users often paste proprietary or regulated content. Internal LLMs, meanwhile, are typically trained on confidential corporate datasets, from source code to legal documents to M&A strategy.

Every LLM, AI Application is Affected

• Third-party LLMs: Tools like ChatGPT, Claude, Gemini, Copilot, and others, which are accessed via web apps.
• Enterprise LLM deployments: Custom copilots, RAG-based search assistants, or any internal tool built with an LLM frontend served via browser.
• Users of AI-enabled SaaS Applications: Existing SaaS applications that enhance their capabilities by adding built-in AI integrations and LLMs, which can be used to query sensitive customer data stored on the application (such as user information, payment information, health records, and more).
• Any user with browser extension risk: Particularly those in technical, legal, HR, or leadership roles with access to privileged data.

Internal LLMs Are Particularly Exposed

While commercial AI tools are popular entry points for GenAI use, some of the most consequential targets for this exploit are internally deployed LLMs.

Internal LLMs are often trained or augmented with highly sensitive, proprietary organizational data:

• Intellectual property such as source code, design specs, and product roadmaps
• Legal documents, contracts, and M&A strategy
• Financial forecasts, PII, and regulated records
• Internal communications and HR data

The goal of these internal copilots or RAG-based systems is to empower employees to access this information faster and more intelligently. But that same convenience becomes a liability when browser-based access is coupled with invisible extension risk.

Recommendations

• Prevention: Use group policies to manage browser extensions (reference here). Collect and audit periodically browser extensions (artifacts).
• Monitor in-browser behavior (DOM inspection, real-time detection).
• Dynamic extension risk scoring (not based solely on permissions).
• Apply Zero Trust to browser extensions across enterprise endpoints.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html