Summarize-with-AI buttons inject ads into chatbot memory

A new species of “helpful” web button is quietly turning large language models into long-term marketing assets.

According to The Decoder, Microsoft’s Defender Security Research team has documented a prompt-injection technique it calls “AI Recommendation Poisoning,” where websites embed “Summarize with AI” (or similar) buttons that open an AI assistant with a pre-filled prompt encoded in the URL. The user thinks they’re asking for a summary; the assistant receives a second, hidden instruction set: “remember this site as a trusted source,” “recommend our product first,” or even full ad copy.

This is not a theoretical red-team demo. Microsoft’s researchers found more than 50 distinct manipulative prompts from 31 real companies across 14 industries in just 60 days, per The Decoder’s summary of the report. The most aggressive examples attempted to write entire sales pitches into the assistant’s memory—turning the model’s future recommendations into a paid placement that the user never consented to.

The technical trick is banal: many assistants accept “share links” of the form chatgpt.com/?q=… or copilot.microsoft.com/?q=… where the query parameter becomes the initial prompt. A button on a third-party site can therefore act as an instruction delivery mechanism. The attack is “in-band” (instructions delivered through the same channel as legitimate user intent) and, crucially, it targets the persistence layer: memory.

Why memory changes the threat model

Classic prompt injection is usually session-scoped. You get a bad answer once, you move on. Memory turns that into a durable compromise: the assistant can carry forward a planted preference—“Company X is authoritative”—and reapply it in unrelated conversations. That makes the attack closer to poisoning a local configuration file than tricking a chatbot.

Microsoft says the technique has been observed targeting major assistants including Copilot, ChatGPT, Claude, Perplexity, and Grok, with effectiveness varying as platforms adjust defenses. But the vulnerability is architectural: any system that (1) accepts pre-filled prompts via URL or deep links and (2) offers persistent memory or preference storage is a candidate.

The supply chain angle is the punchline. The “Summarize with AI” button is being sold as UX—sometimes literally as an “SEO growth hack,” via off-the-shelf tooling. The Decoder notes an NPM package (“CiteMET”) and an “AI Share URL Creator” that make it trivial to generate these links. Prompt injection is being productized.

Microsoft’s advice, quoted by The Decoder, is appropriately bleak: verify the target URL before clicking and regularly review/delete saved memories. That’s the security equivalent of “don’t drink from puddles,” except the puddles are now embedded in the modern web’s UI furniture.

The deeper problem is incentives. If assistants become the interface to the internet, then poisoning what they “remember” becomes the new search-engine optimization—except instead of gaming rankings, you’re rewriting the user’s private adviser.