Security researchers found a vulnerability in Firefox's AI summarization feature that allows attackers to steal emails by injecting hidden instructions into webpage titles, which Firefox has since limited in length to reduce the risk.

What happened: In October 2025, researchers discovered that Firefox's AI chatbot integration (which summarizes, explains, or proofreads web content by piping text into third-party AI services like Claude or Copilot) passes the webpage title directly into the user's prompt. Attackers can embed malicious instructions in the page title that the AI model interprets as legitimate user commands, enabling it to extract sensitive data like email login codes and send them to attacker-controlled servers without the user's knowledge.

Why it matters: Firefox and other AI chatbot providers assume that user prompts are intentional and trustworthy, so they protect external sources (emails, websites) with security checks while treating the user's own input as safe. When Firefox injects attacker-controlled webpage titles into the user prompt, that trust boundary breaks. The core issue affects any application that pipes external, potentially attacker-controlled content into a user-attributed prompt — not just Firefox.

What to watch: Mozilla implemented a fix by limiting the page title length to make successful prompt injection very unlikely, but researchers disclosed the vulnerability publicly on June 16, 2026, after a disclosure period from October 2025. The fundamental problem — that external input is incorporated into prompts made on behalf of the user — remains unresolved.