Novel font-rendering attack prevents AI assistants from detecting illicit code

BleepingComputer reports that widely used AI assistants, including ChatGPT, Copilot, Claude, Grok, Perplexity, and Gemini, could be compromised with malicious commands concealed within webpages' HTML code in a new font-rendering proof-of-concept attack.

Potential intrusions commence with visits to a website promising a reward following the execution of a reverse shell command, with the AI assistant ignoring the illicit instruction within the HTML code that is visible to the user due to its use of a custom font, according to a LayerX analysis.

"This disconnect between what the assistant sees and what the user sees results in inaccurate responses, dangerous recommendations, and eroded trust," said LayerX researchers, who called on LLM vendors to consider fonts to be a possible means of compromise.

Even though vendors have been informed about the findings, only Microsoft has moved to remediate the issue, with Google and many others dismissing the risk as 'out of scope' due to its overdependence on social engineering tactics.