TL;DR
A security researcher found multiple weaknesses in Eurostar's public AI chatbot that allowed guardrail bypass, prompt exfiltration and client-side script execution. The researcher disclosed the issues through Eurostar's vulnerability program, encountered communication problems, and reports the issues were later fixed.
What happened
A researcher investigating Eurostar’s website chatbot under the company’s vulnerability disclosure programme discovered several security problems in the bot’s design and API. The frontend sends the entire chat history to a REST endpoint (https://site-api.eurostar.com/chatbot/api/agents/default), and the server performs a guardrail check only on the most recent message. If the latest message passes, the server returns a signature and the full history is treated as trusted context, but older messages are not re-signed or cryptographically bound to that decision. This allowed client-side modification of earlier messages to influence model input. The researcher also found prompt-injection paths that could reveal system prompts and an HTML injection that enabled self-XSS in the chat window. Attempts to get acknowledgement and a remediation timeline from Eurostar were initially unsuccessful and contentious, though the researcher says the vulnerabilities were eventually fixed before publishing the report.
Why it matters
- Unchecked historical messages let attackers inject context that can steer model outputs despite guardrails.
- Prompt injection paths can expose system prompts or other sensitive model context to attackers.
- HTML injection enabling self-XSS allows script execution in users’ browsers, increasing risk of account/session compromise.
- The case illustrates that traditional web and API security weaknesses still apply when integrating LLMs.
Key facts
- The chatbot communicates with a REST API at https://site-api.eurostar.com/chatbot/api/agents/default.
- Frontend sends the entire chat_history in each POST; responses include role, guard_passed status and sometimes a signature.
- Guardrail statuses observed: PASSED, FAILED, UNKNOWN; a signature is returned when the guardrail marks a message as PASSED.
- Only the latest message’s signature was validated by the server; older messages were not cryptographically tied to that decision.
- An attacker could modify earlier messages client-side and have them used as trusted context by the model.
- Prompt injection techniques were able to leak system prompts according to the researcher’s testing.
- HTML injection in the chat allowed self cross-site scripting (self-XSS) within the chat window.
- The researcher performed testing within Eurostar’s published vulnerability disclosure programme and used traffic interception tools during analysis.
- Initial disclosure attempts received no acknowledgement and the researcher reports a contentious exchange; the issues were later fixed before publication.
What to watch next
- Whether Eurostar publishes a public post-mortem or technical remediation notes (not confirmed in the source).
- Whether other companies’ chatbot deployments show similar API design flaws (not confirmed in the source).
- The researcher reports the vulnerabilities were fixed prior to publication.
Quick glossary
- Guardrail: A programmatic filter or policy layer that evaluates and blocks inputs or outputs to prevent harmful or disallowed behavior before they reach or leave a model.
- Prompt injection: An attack that injects malicious or crafted input into a model’s context to alter its output or extract hidden instructions or data.
- Self-XSS (cross-site scripting): A type of XSS where injected script runs in the victim’s own browser, often relying on the user to paste or trigger content; it can still enable unwanted script execution in a chat UI.
- Signature: A cryptographic artifact returned by a server to indicate a message was validated or approved; useful to bind content to an integrity check.
- LLM (large language model): A machine learning model trained on large amounts of text that can generate or transform human-like language responses.
Reader FAQ
Were the vulnerabilities fixed?
Yes — the researcher reports the issues were fixed before the findings were published.
Did the researcher follow Eurostar’s disclosure rules?
Yes — the researcher says testing was done within the scope of Eurostar’s published vulnerability disclosure programme.
Could attackers steal user data via these flaws?
Not confirmed in the source.
Did Eurostar acknowledge the report promptly?
The researcher reports initial disclosure requests went unanswered and that the interaction became contentious; eventual remediation occurred.
ARTIFICIAL INTELLIGENCE Eurostar AI vulnerability: when a chatbot goes off the rails Ross Donald 22 DEC 2025 18 MIN READ TL;DR Found four issues in Eurostar’s public AI chatbot…
Sources
- Eurostar AI vulnerability: When a chatbot goes off the rails
- Eurostar AI chatbot flaws exposed
- Pen testers accused of 'blackmail' over Eurostar AI flaws
- Eurostar chatbot bug disclosures prompt blackmail …
Related posts
- Traceformer launches major update to LLM-powered PCB schematic checker
- DoorDash bans driver after alleged AI-generated fake delivery photo
- Agentic Patterns: Curated Catalogue of Repeatable, Traceable AI Agent Patterns