Safety vendor LayerX recently revealed a new attack method called "font rendering." Hackers use custom fonts and CSS styles to cleverly disguise malicious commands, successfully misleading mainstream AI tools such as ChatGPT, Claude, and Copilot, causing them to provide users with incorrect security advice.
The core of this attack lies in exploiting the discrepancy between the text AI extracts and the rendered visuals seen by the user:
Character Mapping Tampering: Attackers modify custom font files, rendering normal letters into garbled text while displaying hidden malicious payloads (such as dangerous commands) as seemingly harmless readable instructions.
CSS Visual Control: Hackers hide real text on web pages using extremely small font sizes or specific colors, while magnifying the malicious payload.
Consequences: AI assistants read disguised harmless content, leading to a "safe" evaluation; however, what users see in their browsers is the hacker's carefully crafted dangerous instructions.
LayerX demonstrated a phishing page that used a game easter egg as bait, tricking users into running a piece of code. When victims asked an AI to evaluate this code, the AI could not recognize the hidden malicious logic and responded with "completely safe," ultimately leading victims to execute high-risk commands like reverse shells on their local devices.
LayerX reported this vulnerability to relevant vendors in December 2025, but responses varied significantly:
Microsoft: The only company that responded promptly and has fully fixed the vulnerability.
Google and other vendors: Google initially classified it as high-risk, then downgraded and closed the case, citing "over-reliance on social engineering"; most other vendors considered this outside their security scope.
Security experts remind users to remain vigilant when handling web scripts evaluated by AI and not to fully rely on AI for compliance reviews.
