Researchers at LayerX demonstrated a font-rendering attack that hides malicious commands in webpage HTML using custom fonts and CSS so AI assistants analyzing the DOM see only benign text while users see dangerous instructions. The proof-of-concept fooled multiple popular assistants and prompted recommendations to compare rendered pages with the DOM and treat fonts/CSS as an attack surface. #LayerX #ChatGPT
Keypoints
- LayerX created a PoC that uses custom fonts and glyph substitution plus CSS tricks to display encoded malicious commands to users while the DOM contains harmless text.
- AI assistants that analyze only the page’s structured HTML failed to detect the rendered malicious instructions and gave reassuring safety assessments.
- The technique succeeded against many popular assistants in testing, including ChatGPT, Claude, Copilot, and Gemini.
- Most vendors classified the issue as out-of-scope due to social engineering, while Microsoft accepted and addressed the report.
- LayerX recommends LLMs compare rendered output with the DOM and treat fonts, color/opacity, and tiny font sizes as potential attack surfaces.