Listen to this Post
A groundbreaking attack technique has emerged that exploits the gap between what AI assistants “see” and what human users actually see on web pages. By cleverly hiding malicious commands in seemingly harmless HTML and using font and style manipulations, attackers can fool AI tools into missing dangerous instructions, while still displaying them clearly to the user. This new vulnerability highlights the growing sophistication of web-based social engineering attacks and raises serious questions about the reliability of AI security checks.
How the Attack Works
The attack relies on social engineering to lure users into executing malicious commands that are visually presented on a webpage but hidden in the page’s HTML for AI assistants. Researchers at browser-security company LayerX developed a proof-of-concept (PoC) demonstrating that custom fonts, CSS styling, and glyph substitution can render harmful instructions readable to humans while remaining invisible to AI.
Specifically, attackers encode commands so that the underlying HTML appears meaningless or benign. CSS tricks like very small font sizes or specific color combinations hide the malicious text from AI, while the browser renders it normally to the user. When AI assistants analyze the page, they interpret only the safe text and fail to flag the dangerous instructions.
During testing, this approach successfully bypassed several widely used AI assistants, including ChatGPT, Claude, Copilot, Gemini, Leo, Grok, Perplexity, Sigma, Dia, Fellou, and Genspark. LayerX explains: “An AI assistant analyzes a webpage as structured text, while a browser renders that webpage visually. Attackers can manipulate the rendering layer to change the human-visible meaning without altering the underlying DOM. This disconnect can result in inaccurate AI responses, dangerous recommendations, and eroded trust.”
The attack often begins with a seemingly innocent page offering rewards—like unlocking an Easter egg in a video game—if the user executes a command. If the user asks the AI assistant for guidance, it will typically respond reassuringly because it sees only the benign HTML, not the encoded malicious instruction.
Industry Response
After LayerX reported the findings on December 16, 2025, most AI vendors considered the issue “out of scope” due to its reliance on social engineering. Microsoft was the exception, accepting the report, opening a case in MSRC, and fully addressing the vulnerability. Google initially prioritized the issue but later closed it, citing limited user harm and over-reliance on social engineering.
LayerX warns that AI assistants should not be blindly trusted, as they currently cannot distinguish between visual rendering and underlying HTML content. They suggest that large language models (LLMs) would be safer if they could analyze both the rendered page and the text-only DOM and compare them.
Recommendations for Safer AI Browsing
To mitigate risks, LayerX recommends that LLM vendors treat fonts and CSS as potential attack surfaces. Developers should extend parsers to detect tiny fonts, low-opacity text, or foreground/background color matches that might conceal malicious content. Without these safeguards, AI assistants may continue to be blind to visually rendered threats.
What Undercode Say:
This font-rendering exploit underscores a fundamental limitation in current AI assistants: they are text-first, not visually aware. While AI excels at parsing structured content, it cannot inherently detect manipulations in the rendering layer—an increasingly exploited attack vector. Social engineering combined with font and CSS tricks creates a perfect storm for attackers.
The real risk lies not in raw AI weaknesses, but in the human-AI interaction model. Users trust AI guidance, yet AI may never “see” what humans see. This creates scenarios where following seemingly safe advice can lead to system compromise. By exploiting the separation between DOM and visual display, attackers can execute commands that appear harmless to AI but are fully actionable by the user’s system.
Large language models could be fortified by integrating rendered-page analysis, essentially giving AI “eyes” alongside textual parsing. This dual-mode scanning could detect discrepancies between what humans see and what the code contains.
Vendors’ reluctance to classify this as a serious threat demonstrates a critical blind spot: AI security is often judged solely on technical exploitability, not on human-assisted attack paths. Social engineering is a core part of many attacks, from phishing to ransomware, yet remains underprioritized in AI threat modeling.
Furthermore, the PoC demonstrates the creative use of typography and visual manipulation as a weapon. Attackers don’t need to exploit code vulnerabilities—they simply exploit AI’s limited perception. Any AI-dependent workflow, from financial guidance to software deployment, is potentially vulnerable if malicious content can be hidden in plain sight.
LayerX’s recommendation to treat fonts as an attack surface is novel but essential. Developers need to monitor font substitution, text opacity, and color contrast to prevent visually hidden commands. Even small design choices can have enormous security implications.
This attack also exposes a fundamental trust issue: users are conditioned to believe that AI’s assessment equals safety. In reality, AI may provide false reassurances, and humans executing instructions remain the weak link.
Organizations deploying AI assistants must now consider hybrid evaluation: AI should parse both DOM and rendered visuals, flag discrepancies, and provide risk scoring. Otherwise, attackers can weaponize the human interface itself.
In essence, this technique is a reminder that cybersecurity in AI isn’t just about code—it’s about perception, context, and trust. Attackers are evolving faster than protective models, and human oversight remains critical.
Training AI to detect visual-text discrepancies and integrating these checks into real-time monitoring could be a significant step forward. Failing that, AI assistants will remain vulnerable to low-effort, high-impact manipulations that exploit human trust.
The attack also illustrates why AI vulnerability disclosure programs must account for social engineering-based attacks, not just technical exploits. The industry’s hesitation to act signals a systemic underestimation of visual attack vectors.
Long-term solutions may require AI models to incorporate computer vision techniques, essentially merging traditional LLM parsing with rendered-page visual analysis. This could close the gap exploited in this attack and provide a more holistic safety assessment.
Without such innovation, AI assistants will continue to be susceptible to the simplest of tricks: a carefully disguised instruction displayed in a way humans can read but machines cannot.
Fact Checker Results
✅ LayerX confirmed the PoC bypassed multiple AI assistants, including ChatGPT and Copilot.
✅ Microsoft acknowledged the vulnerability and fully addressed it; other vendors largely dismissed it.
✅ Attack relies on social engineering combined with visual manipulation; technically feasible but context-dependent.
Prediction
⚠️ Expect attackers to increasingly leverage visual-layer exploits to bypass AI safety checks.
⚠️ AI vendors may prioritize multi-layer analysis, combining DOM and rendered visuals, to prevent future font-rendering attacks.
⚠️ Users will need to maintain skepticism and avoid blindly executing AI-suggested commands on untrusted pages.
If you want, I can also create a visual diagram showing exactly how this font-rendering attack works, which could make the article even more engaging and reader-friendly. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
