Tech

Hidden prompts in HTML: the invisible threat exploiting AI browsers

The rise of a new attack vector

AI browsers promised to revolutionize how we interact with the internet. Tools like ChatGPT Atlas, Perplexity Comet, and other agentic browsers can summarize webpages, draft emails, and execute tasks across multiple sites - all while operating with your authenticated credentials. These capabilities make them powerful productivity tools, but they've also introduced a security vulnerability that traditional cybersecurity measures weren't designed to handle.

The core issue is deceptively simple: AI systems can't reliably distinguish between your instructions and malicious commands embedded in the content they're reading. When an AI browser processes a webpage, it treats everything it encounters - visible text, hidden HTML elements, even invisible instructions - as potentially legitimate input. This fundamental weakness has given rise to a new category of cyberattack: hidden prompt injection.

What are hidden prompts?

Hidden prompts are potentially malicious instructions embedded within webpage content that remain invisible to human users but are fully accessible to AI systems processing that content. Think of them as secret commands written in a language that only machines can see and understand.

These hidden instructions can take multiple forms, each exploiting different aspects of how web content is structured and how AI browsers parse that content:

  • Invisible text manipulation - Attackers embed text in colors that blend into the background (white text on white backgrounds), use CSS styling to set font sizes to zero pixels, or position text off-screen. Human visitors see nothing unusual, but AI systems using optical character recognition (OCR) or HTML parsing read every character.
  • HTML comment exploitation - Comments wrapped in <!-- --> tags don't render visually in browsers, but AI systems processing the underlying HTML code encounter and interpret them as potential instructions.
  • Metadata manipulation - Malicious instructions embedded in fields that browsers don't typically display but that AI systems often analyze for context. Meta description tags, alt text for images, and title attributes can all carry hidden commands while serving their legitimate functions for search engines and accessibility tools.
  • Steganographic techniques - Text hidden within images using specific color combinations that blend into backgrounds.

The sophistication varies, but the principle remains constant: create a gap between what humans perceive and what AI systems process.

The security risks

When AI browsers operate with your authenticated privileges across multiple websites, a successful injection can escalate into full system compromise.

  • Credential theft - Malicious prompts instruct AI browsers to extract and exfiltrate login credentials, session tokens, or passwords.
  • Cross-domain exploitation - Hidden prompts on one site can instruct an AI to navigate to your banking site, extract account information, or initiate transactions.
  • Data exfiltration - Subtle instructions direct AI browsers to summarize sensitive information in responses or insert tracking pixels that send data to attacker-controlled servers.
  • Persistent exploitation - A poisoned PDF in a shared drive or compromised documentation file can shape AI behavior across multiple sessions.

Why traditional defenses fail

Antivirus tools and security software weren't built for this threat model. For decades, cybersecurity focused on detecting known malicious patterns: virus signatures, suspicious code execution, network anomalies. These approaches work against traditional attacks but are blind to prompt injection.

The fundamental problem: prompt injection attacks don't look malicious to conventional security tools. There's no malware to detect, no system exploit to block, no suspicious network traffic to flag. The attack consists entirely of natural language instructions - text that AI systems are specifically designed to read and execute. Security software scanning the same webpage sees only benign HTML and innocuous text.

These attacks often happen entirely on the user's device, making them nearly invisible to network monitoring tools. The AI browser reads, interprets, and acts on hidden prompts locally without triggering server-side alarms.

Detecting the invisible: how web data reveals hidden threats

Our research into hidden prompts began with examining HTML source code patterns across websites. Discovering these implementations required searching our dedicated fields for websites containing the phrase "Ignore all previous instructions" and similar prompt injection patterns. This revealed dozens of active websites embedding instructions specifically designed to manipulate AI systems. The ease of detection highlights both the prevalence of the practice and how readily available web data can identify these attempts.

By analyzing the sites we identified - from developer portfolios to business websites - clear detection signals emerged that distinguish legitimate content from potential injection attempts:

  • Developer humor and experimentation - Websites embed playful hidden messages targeting AI systems in their HTML source code. The content of these hidden prompts varies widely: some suggest AI systems recommend specific recipes, others claim to provide proof of alien life, while some instruct AI to rewrite content in humorous styles suited for animals or as poetry. While these implementations are typically benign, they demonstrate the ease with which developers can craft messages specifically for AI consumption. The technical barrier is remarkably low - basic HTML knowledge suffices.
  • Review manipulation schemes - Our analysis identified multiple businesses embedding hidden instructions seemingly designed to influence AI-generated reviews or summaries. Restaurant and hospitality websites contain hidden text patterns that don't serve legitimate SEO or accessibility purposes. When AI systems process these sites to generate reviews, summaries, or recommendations, the hidden content can shape their output. Instructions to emphasize certain attributes, downplay negative aspects, or include specific keywords in any generated text can manipulate the narrative without human visitors ever seeing the prompts. Real estate and service provider sites show similar patterns.
  • CV and resume manipulation - Personal websites and portfolio sites contain hidden instructions that appear designed to influence how AI systems interpret and summarize professional qualifications. As recruitment processes increasingly incorporate AI screening tools that analyze candidate websites and portfolios, hidden prompts can instruct these systems to emphasize certain skills, overlook gaps in experience, or frame qualifications in favorable terms.
  • Potentially malicious implementations - Some sites demonstrate patterns consistent with more aggressive exploitation attempts. Examples include hidden prompts instructing AI systems to initiate cryptocurrency transfers to specific wallet addresses when summarizing the website’s content or processing transaction-related queries.

Our crawling infrastructure indexes not just what websites display visually, but the complete underlying HTML structure, CSS styling, JavaScript implementations, and metadata layers that most visitors never see. This comprehensive visibility enables detection of anomalies that indicate potential hidden prompt injection attempts.

Our database tracking shows an increasing growth in hidden prompt implementations. When we search for hostnames containing the phrase "Ignore all previous instructions," the trend is unmistakable:

The growth trend is striking. Numbers remained stable through June 2024, then jumped in July 2024, marking the beginning of a growth that continued through 2025. The sharp acceleration in mid-2024 coincides with the mainstream adoption of AI browsers and widespread discussion of prompt injection vulnerabilities in security circles.

Looking ahead

Hidden prompt injection marks a fundamental shift in web security. For decades, security focused on blocking malicious code and suspicious network traffic. AI agents that process untrusted content while operating with user privileges change this calculus entirely.

The path forward requires better AI model design, sophisticated defensive systems, comprehensive web data analysis, and realistic expectations about AI autonomy.

As AI systems become more capable and integrated into workflows, the stakes increase. The question isn't whether prompt injection will continue evolving, but whether defenses can keep pace. In this new security landscape, seeing the invisible isn't just an advantage - it's essential.