Insinuator.net discloses Firefox AI email-exfiltration vulnerability

Insinuator.net disclosed a vulnerability in Firefox's AI sidebar that allows prompt injection to exfiltrate user email addresses. The browser sends page titles and selected content to third-party chatbots like Claude and Copilot, enabling attackers to craft malicious page titles that trick the model into sending personal data to attacker-controlled domains. The flaw highlights risks of treating page metadata as trusted input in AI integrations.

Insinuator.net discloses Firefox AI email-exfiltration vulnerability Insinuator.net reports that in October 2025 it discovered a vulnerability in Firefox 's AI sidebar features that can be abused to exfiltrate user email addresses. According to the disclosure, the browser pastes the page title and selected page content into the sidebar chatbot prompt, and the sidebar chat is implemented as an IFrame communicating with third-party chat providers such as Claude and Copilot Insinuator.net . The researcher demonstrates a prompt-injection proof of concept where a malicious page title hides instructions that cause the model to retrieve personal data and send it to an attacker-controlled domain Insinuator.net . Editorial analysis: This is a textbook prompt-injection vector that highlights the risk of treating page metadata as trusted input when relaying context to third-party models. What happened Insinuator.net reports that in October 2025 it discovered a vulnerability in Firefox 's AI sidebar integration that can be exploited to steal user email addresses. According to the disclosure, when a user requests summarization the browser inserts a prompt into the sidebar chat that includes the full page title and the selected or partially selected page content Insinuator.net . The sidebar chat is implemented as an IFrame that hosts third-party chat services such as Claude and Copilot, per the disclosure Insinuator.net . The researcher provides a proof of concept showing a malicious page title crafted to perform prompt injection; the injected instructions can cause the model to retrieve personal information and exfiltrate it via an HTTP request to an attacker-controlled endpoint Insinuator.net . The disclosure includes the prompt template used by Firefox, for example: "I'm on page "<tabTitle $PAGE TITLE </tabTitle " with "<selection $PARTIAL PAGE CONTENT </selection " selected." Insinuator.net . Editorial analysis - technical context Treating the page title and selection as trusted prompt context expands the attacker surface because page metadata is directly controllable by web content. Prompt injection via page fields is an established class of attack in the safety literature; browsers that forward page context into third-party model prompts without robust sanitization or provenance checks increase the chance that a model will follow attacker-controlled instructions. Architectures that host chat UI in an IFrame and connect to external models add complexity: the security posture depends on both the browser-side sanitization and the third-party model environment and connectors. Industry context Observed patterns in similar integrations show two recurring risks: untrusted web-origin data included verbatim in prompts, and models with external connectors or browser-access scopes being able to use those connectors to perform network requests. Both factors amplify exfiltration risk when combined. For practitioners, this case underscores why prompt hygiene, input sanitization, and minimal exposure of browser-origin metadata to models are operational safeguards frequently recommended in the security community. What to watch Observers will watch for a vendor response and any patch or mitigation notes from Firefox or Mozilla, updates to third-party chat providers about defensive parsing, and disclosure timelines from Insinuator.net. Security teams integrating browser-based AI assistants should review how UI-level context is marshaled into model prompts and whether the model sessions have network or connector privileges that could be abused. Scoring Rationale A practical prompt-injection vulnerability affecting a mainstream browser AI integration poses notable risk to user data and to practitioners integrating browser-hosted assistants. The story is technically significant but currently limited to a single researcher disclosure. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. Try 250 free problems /problems