ML Security PapersWhen AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins
Yigitcan Kaya , Anton Landerer , Stijn Pletinckx , Michelle Zimmermann , Christopher Kruegel , Giovanni Vigna
Published on arXiv
2511.05797
Prompt Injection
OWASP LLM Top 10 — LLM01
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Key Finding
8 of 17 real-world chatbot plugins allow conversation history forgery (including fake system messages), amplifying direct prompt injection attack success by 3–8x; 15 plugins introduce indirect injection risk via unvetted web-scraping tools.
Prompt injection attacks pose a critical threat to large language models (LLMs), with prior work focusing on cutting-edge LLM applications like personal copilots. In contrast, simpler LLM applications, such as customer service chatbots, are widespread on the web, yet their security posture and exposure to such attacks remain poorly understood. These applications often rely on third-party chatbot plugins that act as intermediaries to commercial LLM APIs, offering non-expert website builders intuitive ways to customize chatbot behaviors. To bridge this gap, we present the first large-scale study of 17 third-party chatbot plugins used by over 10,000 public websites, uncovering previously unknown prompt injection risks in practice. First, 8 of these plugins (used by 8,000 websites) fail to enforce the integrity of the conversation history transmitted in network requests between the website visitor and the chatbot. This oversight amplifies the impact of direct prompt injection attacks by allowing adversaries to forge conversation histories (including fake system messages), boosting their ability to elicit unintended behavior (e.g., code generation) by 3 to 8x. Second, 15 plugins offer tools, such as web-scraping, to enrich the chatbot's context with website-specific content. However, these tools do not distinguish the website's trusted content (e.g., product descriptions) from untrusted, third-party content (e.g., customer reviews), introducing a risk of indirect prompt injection. Notably, we found that ~13% of e-commerce websites have already exposed their chatbots to third-party content. We systematically evaluate both vulnerabilities through controlled experiments grounded in real-world observations, focusing on factors such as system prompt design and the underlying LLM. Our findings show that many plugins adopt insecure practices that undermine the built-in LLM safeguards.
Key Contributions
- First large-scale empirical study of 17 third-party chatbot plugins used by 10,000+ public websites, characterizing their security posture against prompt injection
- Discovery that 8 plugins fail to enforce conversation history integrity, allowing adversaries to forge system messages and boosting direct prompt injection success 3–8x
- Discovery that 15 plugins expose chatbots to untrusted content via web-scraping tools with no trust boundary enforcement, with ~13% of e-commerce sites already vulnerable to indirect prompt injection