TL;DR
A security researcher found multiple weaknesses in Eurostar’s public AI chatbot, including guardrail bypasses, unchecked message and conversation IDs, prompt injection that could reveal system prompts, and an HTML injection leading to self-XSS. The issues were reported under Eurostar’s vulnerability disclosure programme, eventually fixed, and published after a difficult disclosure process.
What happened
A researcher who accessed Eurostar’s public chatbot while planning travel examined its behavior under the site’s vulnerability disclosure programme and used interception tools to inspect API traffic. The chatbot is API-driven (endpoint: https://site-api.eurostar.com/chatbot/api/agents/default) and the frontend sends the entire chat history with each request. The backend ran a guardrail check only on the latest message and returned a cryptographic signature when that latest message passed. Older messages in the history were neither re-verified nor cryptographically tied to the pass decision, allowing a client to modify earlier entries and feed altered context to the model. The researcher identified four issues: guardrail bypass, unchecked conversation/message IDs, prompt injection exposing system prompts, and HTML injection enabling self XSS in the chat window. Eurostar was notified via its VDP; the disclosure process was contested, but the company ultimately fixed the vulnerabilities before the findings were published.
Why it matters
- Partial or client-side trust in chat history lets attackers change earlier messages and influence model output despite guardrails.
- Prompt and HTML injection can expose internal prompts or allow script execution within the chat UI, risking data leakage and client-side compromise.
- APIs that only verify the last message undermine server-side policy controls and signature-based protections.
- This case shows that traditional web and API vulnerabilities remain relevant when LLMs are used as back-end components.
Key facts
- Research was performed while the researcher acted as a legitimate customer and within Eurostar’s published vulnerability disclosure programme.
- The chatbot communicates with a REST API at https://site-api.eurostar.com/chatbot/api/agents/default.
- The frontend sends the full chat history in each POST request rather than just the newest message.
- The backend performs a guardrail check only on the latest message and returns a signature if that check passes.
- Older messages in the history were not cryptographically bound to the guard decision and could be altered client-side.
- Four distinct issues were reported: guardrail bypass, unchecked conversation/message IDs, prompt injection leaking system prompts, and HTML injection causing self-XSS.
- The chatbot’s refusal behavior used a fixed, identical refusal text, indicating a programmatic guard layer rather than variable model refusals.
- Disclosure under Eurostar’s VDP was described as difficult and initially went unanswered; at one point the researcher says Eurostar suggested an attempt to blackmail them.
- According to the researcher, the vulnerabilities were eventually remediated before publication.
What to watch next
- Confirm that the applied fixes include server-side binding of all messages (not just the latest) to cryptographic signatures and re-verification of history — confirmed in the source that fixes were applied.
- Whether Eurostar publishes a detailed post-incident report explaining root causes and remediation steps — not confirmed in the source.
- If other travel and service websites using LLM-backed chatbots share the same pattern of sending full history client-side without strong server-side binding — not confirmed in the source.
Quick glossary
- Guardrail: A programmatic policy layer placed in front of a model to block or modify user requests and model outputs before the LLM sees them or before responses are returned to users.
- Prompt injection: An attack that inserts malicious or instructive text into the model’s input (or its context) to alter its behavior or reveal internal prompts.
- Self-XSS (HTML injection): Client-side cross-site scripting where injected HTML or script executes in the victim’s browser context, often via a chat UI that renders unescaped content.
- Signature (cryptographic): A cryptographic token attached to content to attest to its authenticity or integrity; used to prove that a message passed a backend check.
- LLM (large language model): A machine learning model trained on large text corpora that can generate human-like text responses based on provided prompts and context.
Reader FAQ
What specific vulnerabilities were found?
The researcher reported guardrail bypass, unchecked conversation and message IDs, prompt injection that could leak system prompts, and HTML injection causing self-XSS.
Was the disclosure handled through an official programme?
Yes. The researcher used Eurostar’s published vulnerability disclosure programme, but says the disclosure process was contentious and went unanswered for a period.
Were the vulnerabilities fixed?
According to the researcher, the issues were eventually fixed before the findings were published.
Did the researcher access private user data during testing?
not confirmed in the source
ARTIFICIAL INTELLIGENCE Eurostar AI vulnerability: when a chatbot goes off the rails Ross Donald 22 DEC 2025 18 MIN READ TL;DR Found four issues in Eurostar’s public AI chatbot…
Sources
- Eurostar AI vulnerability: when a chatbot goes off the rails
- Pen testers accused of 'blackmail' over Eurostar AI flaws
- Eurostar's new AI chatbot left customers exposed
- Eurostar AI chatbot flaws exposed after “painful” disclosure …
Related posts
- Palo Alto exec warns AI agents will be 2026’s leading insider threat
- How U.S. veterans helped Venezuela’s María Corina Machado escape
- Corroded: A repository that provides intentionally unsafe, ‘illegal’ Rust primitives