analysis

Your Customer Service Chatbot Is a Security Hole

IEEE S&P research finds 10,000+ websites running vulnerable AI chatbot plugins. Attackers can forge conversations, hijack tools, and extract system prompts.

Security camera mounted on wall in dimly lit corridor

That friendly “How can I help you?” popup on your favorite e-commerce site? Researchers just demonstrated it can be weaponized against you.

A study accepted to IEEE Symposium on Security and Privacy 2026—one of the top computer security conferences—found that 17 widely-deployed third-party chatbot plugins expose over 10,000 websites to prompt injection attacks. The vulnerabilities allow attackers to forge conversation histories, hijack chatbot tools, and extract confidential system prompts.

The paper’s authors—Yigitcan Kaya, Anton Landerer, Stijn Pletinckx, Michelle Zimmermann, Christopher Kruegel, and Giovanni Vigna—didn’t just find theoretical weaknesses. They demonstrated working attacks against real plugins, tested them across 11 different LLM models from OpenAI, Anthropic, and Google, and measured success rates that should alarm anyone deploying these tools.

The Attack Surface

The researchers identified two distinct vulnerability classes, each affecting different subsets of the 17 plugins analyzed:

Conversation History Tampering: Eight plugins serving approximately 8,000 websites fail to enforce integrity checks on conversation data transmitted between visitors and chatbots. Attackers can inject fake system messages into the conversation history, boosting their ability to elicit unintended behavior by 3 to 8 times compared to standard prompt injection.

Indirect Injection via Third-Party Content: Fifteen plugins use tools like web scraping to enrich chatbot context with website-specific information. The problem: they don’t distinguish between trusted developer content (product descriptions) and untrusted third-party content (customer reviews). Roughly 13% of sampled e-commerce sites have already exposed their chatbots to this attack vector.

The Numbers

The attack success rates are grim:

  • System prompt extraction: ~60% success via system injection, ~30% via assistant injection
  • Task hijacking (getting the chatbot to do something other than its intended purpose): ~98% success against insecure configurations, ~62% against “hardened” prompts
  • Tool hijacking (making the chatbot misuse its own capabilities): 20-100% success rates depending on the configuration

Even when plugins attempted to harden their prompts, the researchers found that system prompt hardening alone provides “limited protection against attacks targeting LLM tool-use capabilities.”

Why This Should Worry You

The chatbot plugin ecosystem grew by nearly 50% in 2025 alone. Between August 2024 and April 2025, the researchers watched their target set expand from 10,417 to 17,474 affected websites.

These aren’t obscure tools. The plugins analyzed span both WordPress-specific solutions and generic commercial offerings that power customer service on major e-commerce platforms. When you ask a chatbot about a product return, you’re trusting that:

  1. Your conversation history hasn’t been tampered with by a previous attacker
  2. The context the chatbot pulls from the website doesn’t contain malicious instructions hidden in customer reviews
  3. The chatbot won’t be tricked into using its tools—like sending emails or accessing customer data—for purposes other than helping you

The research demonstrates that none of these assumptions hold.

What’s Being Done (And Why It’s Not Enough)

The researchers practiced responsible disclosure. The most widely deployed plugin (anonymized as “P1” in the paper) responded through its bug bounty program and implemented fixes. Another plugin now logs warnings about potential attacks.

But the rest? Still vulnerable. Still serving thousands of websites. Still trusting that LLM-level defenses will somehow protect against attacks that exploit plugin-level weaknesses.

The researchers proposed concrete defenses:

  • Content isolation: Segregating untrusted user-generated content from trusted developer content
  • Tool instruction hardening: Strengthening tool-use descriptions specifically against hijacking
  • Message integrity verification: Cryptographic authentication of conversation histories
  • Enhanced logging: Making injected prompts visible in plugin dashboards

None of these are particularly exotic. Content isolation and message integrity are security 101. The fact that they’re missing from production systems serving millions of users tells you where priorities lie in the chatbot gold rush.

The paper’s conclusion is worth quoting directly: “Without these plugin-layer protections, the next generation of LLM applications on the web remains at risk.”

The chatbot you’re talking to right now might be listening to someone else’s instructions.