Eurostar AI vulnerability: when a chatbot goes off the rails

Researchers identified four vulnerabilities in Eurostar’s AI chatbot: guardrail bypass due to insufficient signature binding on chat history, prompt injection revealing model and system prompts, HTML injection leading to self-XSS, and unvalidated conversation/message IDs that risk replay or cross-user exposure. The report demonstrates the request/response mechanics behind the flaws, outlines potential escalation to stored/shared XSS, describes a problematic disclosure process despite a VDP, and recommends mitigations including strict server-side signature binding of messages and guard decisions, server-generated/validated IDs, robust input validation, and HTML output sanitization.