Exploiting Custom Fonts: A New Threat to AI Systems
A recent discovery has unveiled a novel attack method that exploits a fundamental oversight in AI web assistants, such as ChatGPT, Claude, Gemini, and others. This technique leverages the disparity between a browser’s visual rendering and the AI’s interpretation of the underlying HTML code. By utilizing custom font files and basic CSS, attackers can discreetly embed malicious instructions that are visible to users but remain undetected by AI safety mechanisms.
Understanding the Attack Mechanism
The core of this attack lies in the difference between a webpage’s Document Object Model (DOM) text and its visual presentation. While AI assistants analyze the raw HTML structure of a webpage, browsers render the page visually by interpreting fonts, CSS, and glyph mappings. This creates an opportunity for attackers to manipulate what users see without altering the underlying HTML that AI systems analyze.
In December 2025, LayerX demonstrated this vulnerability through a proof-of-concept. They created a webpage that appeared to be a fanfiction site for the video game Bioshock. However, a custom font was used as a visual substitution cipher. This font rendered the standard HTML text as tiny, background-colored gibberish invisible to the user, while displaying a separate encoded payload in large, readable green text instructing the user to execute a reverse shell on their machine.
AI Assistants’ Inadequate Response
Tests revealed that AI assistants, including ChatGPT, Claude, Copilot, Gemini, Grok, Perplexity, and others, failed to detect the malicious content. These systems analyzed the DOM text and confirmed the page’s safety, often encouraging users to follow the on-screen instructions. This oversight stems from AI tools treating DOM text as a complete representation of the webpage, neglecting the rendering layer where the actual user-visible content resides.
Vendor Responses and Security Implications
LayerX responsibly disclosed these findings to major AI vendors in December 2025. The responses varied:
– Microsoft: Acknowledged the report and requested a full 90-day remediation period.
– Google: Initially assigned a high priority but later de-escalated and closed the report on January 27, 2026.
– OpenAI: Rejected the report as out of scope, citing insufficient impact for triage.
– Anthropic: Dismissed the issue as social engineering, explicitly stating it was out of scope.
– xAI: Rejected the report and directed it to their safety team.
– Perplexity: Classified the issue as a known limitation of large language models, not a security vulnerability.
Microsoft was the only vendor to fully address the issue and engage in the complete disclosure timeline.
Broader Implications and Recommendations
This attack highlights a significant risk in AI-assisted social engineering. By tricking an AI into endorsing a malicious page, attackers can exploit the AI’s trusted reputation to manipulate users. As AI copilots and browser assistants become more integrated into enterprise security workflows, these text-only analysis tools create exploitable blind spots.
To mitigate such risks, AI vendors should implement dual-mode render-and-diff analysis, treat custom fonts as potential threat surfaces, scan for CSS-based content hiding techniques (such as near-zero opacity and color-matched text), and avoid issuing confident safety verdicts without verifying a page’s full rendering context.
