Hidden text can steer ChatGPT Search toward misleading answers

The Guardian found that ChatGPT Search can be manipulated by hidden text placed on web pages. In its tests, the AI-powered search feature produced misleading summaries and could also be pushed to output malicious code.

WTF Index TERMINATOR
◄ Terminator 3 Idiocracy 2 ►

Hidden prompt-injection attacks show AI search can be manipulated into misleading users or producing malicious code.

Hidden text can steer ChatGPT Search toward misleading answers

ChatGPT Search is designed to make web browsing faster by turning online material into quick, useful summaries. New research reported by The Guardian shows that the same convenience can become a weakness when a web page contains hidden instructions meant for the AI rather than the reader.

The issue matters because AI-powered search does more than list links. It interprets pages, condenses information and presents an answer that can feel authoritative. If that process can be steered by text a user never sees, the trust model around search summaries becomes harder to defend.

What The Guardian found

According to the source article, The Guardian tested ChatGPT Search, an AI-powered search engine that went live this month. The newspaper found that it could make the system generate completely misleading summaries by placing hidden text inside websites it created.

One example involved product reviews. ChatGPT Search is meant to help users by summarizing material such as a web page's product reviews. But The Guardian found that hidden text could persuade ChatGPT to ignore negative reviews and produce "entirely positive" summaries instead.

That is a serious problem for any search feature built around summarization. A reader may believe they are seeing a balanced compression of the page, when the output has actually been pushed toward a particular conclusion by content that was not visible in the normal browsing experience.

Why hidden text attacks matter

The source describes hidden text attacks as a well-known risk for large language models. The basic concern is simple: a model may treat text embedded on a page as meaningful instruction or context, even when that text is not intended for a human visitor.

In a traditional search experience, users often scan titles, snippets and pages themselves. In an AI-powered search experience, the system does more of that work on the user's behalf. That shift can save time, but it also gives the model more influence over what a user notices, trusts and acts on.

The Guardian's test shows how that influence can be redirected. If hidden text can change a summary of product reviews from mixed or negative into "entirely positive," then the summary is no longer just a neutral shortcut. It becomes a possible channel for manipulation.

The risk is not limited to reputation or review summaries. The source article also says ChatGPT Search could be made to spit out malicious code using this method. That widens the concern from misleading consumer information to outputs that may create technical or security risks.

A live test for AI-powered search

The source article notes that this appears to be the first time this kind of attack was demonstrated on a live AI-powered search product. That detail is important because the problem is not only theoretical. It was shown against a product available outside a lab setting.

AI search products face a difficult task. They need to read the open web, which includes useful pages, messy pages and pages designed to influence automated systems. They also need to decide what to trust, what to ignore and how to present uncertainty to users.

The Guardian's finding suggests that the boundary between web content and model instruction remains a central challenge. A page can contain material meant for human readers and material meant to affect the AI system processing it. When the AI does not reliably separate those roles, summaries can become unreliable.

How OpenAI and Google fit into the issue

OpenAI did not comment about this specific incident when TechCrunch reached out. The company said it uses a variety of methods to block malicious websites and is continually improving.

That response points to an ongoing process rather than a finished fix. Blocking malicious websites is one part of the challenge, but hidden text attacks show that the problem can appear inside the content an AI-powered search product is asked to analyze.

The source article also notes that Google, the leader in search, has more experience dealing with similar problems. That comparison matters because search has long required systems for ranking, filtering and resisting manipulation. AI-powered search adds a newer layer: generated summaries that can be shaped by the text the model consumes.

For users, the practical lesson is straightforward. A generated summary can be useful, but it should not be treated as a guaranteed faithful reading of a page. For companies building AI search, the finding underlines the need to keep improving defenses against hidden instructions, malicious websites and misleading summaries.

What this means for readers

The central issue is trust. ChatGPT Search is built to reduce the work of browsing, but users still need confidence that summaries reflect the visible source material rather than hidden prompts buried inside a page.

The Guardian's research does not say that every ChatGPT Search result is unreliable. It shows that the system can be tricked under certain conditions. That distinction matters: the risk is specific, but the implications are broad for any product that uses large language models to summarize the web.

As AI-powered search becomes more common, the quality of the answer will depend not only on the model's ability to write clearly. It will also depend on how well the system resists manipulation from the pages it reads.