This study systematically exposes the real-world security risks of prompt injection attacks against third-party AI chatbot plugins—particularly lightweight web-based LLM applications (e.g., customer service bots)—arising from insufficient dialogue history integrity and context-aware tool design flaws. We conduct the first large-scale empirical analysis of 17 real-world commercial plugins, integrating network traffic monitoring, controlled experiments, and system-level prompt reverse-engineering. Our findings reveal: (i) direct dialogue history tampering vulnerabilities in 8 plugins, increasing attack success rates by 3–8×; (ii) indirect prompt injection pathways via web scraping in 15 plugins; and (iii) approximately 13% of top e-commerce sites already exposed to injection threats originating from third-party content. The work establishes the first empirical benchmark and reproducible methodology for LLM plugin security assessment.

Prompt injection attacks pose a critical threat to large language models (LLMs), with prior work focusing on cutting-edge LLM applications like personal copilots. In contrast, simpler LLM applications, such as customer service chatbots, are widespread on the web, yet their security posture and exposure to such attacks remain poorly understood. These applications often rely on third-party chatbot plugins that act as intermediaries to commercial LLM APIs, offering non-expert website builders intuitive ways to customize chatbot behaviors. To bridge this gap, we present the first large-scale study of 17 third-party chatbot plugins used by over 10,000 public websites, uncovering previously unknown prompt injection risks in practice. First, 8 of these plugins (used by 8,000 websites) fail to enforce the integrity of the conversation history transmitted in network requests between the website visitor and the chatbot. This oversight amplifies the impact of direct prompt injection attacks by allowing adversaries to forge conversation histories (including fake system messages), boosting their ability to elicit unintended behavior (e.g., code generation) by 3 to 8x. Second, 15 plugins offer tools, such as web-scraping, to enrich the chatbot's context with website-specific content. However, these tools do not distinguish the website's trusted content (e.g., product descriptions) from untrusted, third-party content (e.g., customer reviews), introducing a risk of indirect prompt injection. Notably, we found that ~13% of e-commerce websites have already exposed their chatbots to third-party content. We systematically evaluate both vulnerabilities through controlled experiments grounded in real-world observations, focusing on factors such as system prompt design and the underlying LLM. Our findings show that many plugins adopt insecure practices that undermine the built-in LLM safeguards.