Firefox AI Sidebar Flaw Lets Malicious Websites Steal Email Login Codes, Researcher Finds
Mozilla’s Firefox AI sidebar — which lets users summarize articles and proofread text through third-party chatbots including Microsoft Copilot and Anthropic’s Claude — carries a security flaw that could hand attackers one-time login codes drawn from a user’s connected email account.
Security researcher Florian Port publicly disclosed the vulnerability, demonstrating how a malicious webpage can hijack Firefox’s AI integration through a technique known as prompt injection — a method where hidden instructions embedded in attacker-controlled content manipulate an AI model into taking unintended actions.
How the Attack Works
When a user invokes Firefox’s AI summarization feature, the browser passes the selected text, a set of instructions, and the page title to the chatbot as a single prompt.
AI models typically treat that full prompt as trusted user input. That assumption is where the attack takes hold.
Port’s proof of concept exploits the page title as the primary attack vector. A malicious site can craft an unusually long title that looks normal inside a browser tab — which only displays a truncated portion — while concealing injected instructions further down the string.
Those hidden instructions remain out of the user’s view inside the chatbot interface as well, buried deep enough in the generated prompt to avoid detection.
What an Attacker Can Extract
In Port’s demonstration, the concealed instructions directed Microsoft Copilot to retrieve the user’s most recent email containing a Booking.com verification code, extract that code from the subject line, and transmit it to an attacker-controlled server via an HTTP request.
The attack targeted email subject lines rather than full message bodies. That distinction provides little protection in practice.
Many online services — banks, travel platforms, social networks — deliver one-time login codes and two-factor authentication (2FA) tokens directly in subject lines, meaning an attacker never needs to open the inbox itself.
If the AI assistant already holds permission to interact with a user’s connected accounts, those subject lines become viable targets.
Mozilla’s Response
Mozilla has already deployed partial mitigations. The company now caps the length of page titles that Firefox passes to certain chatbot integrations, making the specific attack Port demonstrated substantially harder to execute.
A separate Bug Affecting Copilot’s summarization feature also prevented researchers from reproducing the full attack chain during later testing.
Still, Port argues the fixes treat the symptom rather than the underlying condition. Attacker-controlled content still feeds into prompts that AI systems interpret as originating from the user — the core structural problem remains unresolved.
The disclosure follows a warning from Brave’s Security researchers about indirect prompt injection attacks targeting Mozilla Tabstack and Cotypist, two other AI-powered Mozilla products.
User Exposure
Users Can reduce their risk by restricting the permissions they grant to browser-based AI assistants. A chatbot without access to email, calendar, or connected services cannot exfiltrate data from them.
Security practitioners also advise against using AI summarization features on unfamiliar or untrusted websites, and recommend keeping Firefox updated to receive the latest patches as Mozilla continues addressing the issue.
Prompt injection as an attack class predates this disclosure. As AI assistants embed more deeply into browsers and productivity software, researchers expect the vulnerability category to persist across vendors and platforms industry-wide.
