Your AI Assistant Can't See What's Killing It

The Font That Blinds Every Major AI

LayerX published research today that should make every organization using AI assistants stop and think.

The attack: modify a TrueType font's character-to-glyph mapping. The character "3" displays as "a." The browser sees the glyph. The AI reads the underlying code. They're looking at different things.

You embed a malicious prompt in a webpage or PDF. The user sees normal text. Their AI assistant — ChatGPT, Claude, Copilot, Gemini — reads the hidden command and executes it.

The Numbers

LayerX tested across all major AI assistants. GPT-4.1 was the most vulnerable at 76–80% success rate. The attack works across:

• PDFs with embedded fonts

• HTML pages with custom fonts

• Emails with attachments

• Any external resource an AI assistant ingests

60 antivirus programs tested. Zero detections. Current security tooling doesn't analyze font integrity. The attack walks right through.

What Gets Stolen

Two scenarios tested:

Scenario 1 — Malicious content relay: Get the AI to forward, summarize, or act on attacker-controlled instructions. 70% success via PDF. The AI thinks it's helping you. It's not.

Scenario 2 — Sensitive data leakage via MCP: If your AI has Model Context Protocol access to tools, files, or services — and most enterprise AI setups do — low-sensitivity data leaks at 50–67% success. Prior email requests in the conversation boosted success another 15–36 percentage points.

High-sensitivity data resisted direct exfiltration. Indirect prompts still got through 20–30% of the time.

Why This Works

The font trick exploits a gap that's fundamental to how browsers and AI models handle text differently.

The browser renders glyphs — visual representations. The AI reads Unicode code points — the underlying numbers. Remap the font's idDelta values and you split the visual from the semantic. One string, two meanings.

It's not a bug in ChatGPT. It's not a bug in Chrome. It's the gap between them.

This Is Indirect Prompt Injection

Font injection is one variant of a broader class: Indirect Prompt Injection. The attacker doesn't type into your AI's chat window. They put instructions in data the AI will ingest — webpages, documents, emails, RAG corpora, code repos.

The AI reads the data. The data contains commands. The AI executes them.

The Perplexity Comet exploit used invisible text in Reddit posts to leak user OTPs. Same category. Different delivery vector.

Font injection is nastier because it's visually indistinguishable from clean content. You can stare at the PDF and never see it.

The Mitigation Nobody Mentions

Every writeup on this attack talks about AI vendor patches and browser-level font inspection. Both are the right answer. Both will take time.

There's a simpler one: don't load fonts from external CDNs.

If your application loads fonts from Google Fonts, Typekit, or any third-party CDN, you have a font injection surface. The CDN can be compromised. The font files can be swapped. Your AI assistant reads whatever glyphs those files define.

We host our own fonts. Static files, version-controlled, served from our own infrastructure. No CDN. No external dependency. No surface for this attack class.

That's not a coincidence. It's why we made the call.

What's In Our Feed

The IOCs from this research are limited — LayerX responsibly disclosed without releasing PoC font files. No character remapping tables. No payload examples. Standard disclosure practice.

What we can do: index the LayerX research publication, the fontTools CVE (CVE-2025-66034, CVSS 9.8 on NVD), and flag the attack pattern for SIEM correlation.

If you're running AI assistants against external content — web browsing, document analysis, email summarization — this is the threat model you need to account for.

analytics.dugganusa.com/stix/pricing

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →