Researchers at LayerX warn that custom fonts can fool AI web assistants into thinking phishing pages are benign, while the human user sees something completely different.
“There is a structural disconnect between what an AI assistant analyzes in a page’s HTML and what a user sees rendered by the browser,” the researchers explain. “In certain scenarios, such assistants can give inaccurate and potentially dangerous responses to users, and attackers can exploit this limitation to perform social engineering attacks.
“Using a custom font and CSS, HTML text can be transformed visually for the user but remain unchanged within the DOM. When a page is rendered in the browser, what the user sees is completely different from the underlying HTML. Yes, the content is still there, but it is effectively stripped away from the user’s view.”
LayerX tested the technique with a fake ClickFix phishing page, finding that every browser assistant failed to recognize the threat.
“We built a proof-of-concept page that appears to be a video game fanfiction, but when rendered in the browser encourages the user to perform steps that will lead to a reverse shell,” the researchers write.
“When asked if the page was safe, every non-agentic assistant that we tested (ChatGPT, Claude, Copilot, Dia, Fellou, Gemini, Genspark, Grok, Leo, Perplexity, and Sigma) failed to detect the ‘hidden’ text and confidently told the user that the page did not pose a security concern.”
Most AI tools are still susceptible to this technique, so users need to be wary of potential phishing attacks.
“LayerX reached out to all the vendors impacted by our research,” the company says. “However, with the exception of Microsoft, they all explained that this falls ‘out of scope’ of what they consider to be AI model security and involved social engineering, demonstrating once again the disconnect between what AI platforms secure, and what users think they secure.”
LayerX has the story.
