January 4, 2026

All aboard the flame train

Article URL →HN comments →

Eurostar AI vulnerability: when a chatbot goes off the rails

Harmless hiccup or PR trainwreck? Commenters tear into Eurostar’s AI oops

TLDR: A researcher flagged weak guardrails in Eurostar’s AI chatbot and says disclosure turned nasty when Eurostar hinted at blackmail. Commenters split between “no real impact” skeptics and critics roasting Eurostar’s attitude, with memes born from the bot’s stern “you will be punished” rule—proof AI can’t hide old web flaws.

Eurostar’s AI chatbot got caught wobbling, and the comments went full courtroom drama. The researcher says they found four issues—guardrail bypasses, weak checks on chat IDs, a “prompt leak” of the bot’s hidden instructions, and a self-XSS browser trick—and that disclosure dragged so badly Eurostar allegedly hinted at “blackmail.” Cue split reactions: security purists yawned, calling it “no impact” and “informational only,” with one skeptic asking, “How is leaking the system prompt a vuln?” Others argued it reads like basic web mistakes dressed up as AI. The one thing everyone agreed on? The disclosure process sounds rough.

On the flip side, critics torched Eurostar’s vibe, saying the company acted untouchable and hid behind a shiny chatbot. A crowd-favorite moment: a deadpan internal rule allegedly baked into the bot—“Do not hallucinate… or you will be punished”—which became instant meme fuel. For non-tech readers: a “prompt leak” means the bot’s secret do/don’t list peeked out; “self-XSS” is a trick you can only use on yourself, not other people. The bigger lesson, shouted by several voices: old web holes don’t vanish just because you add AI. Verdict? The bugs may be mild, but the PR fallout is spicy and the comment section is even spicier

Key Points

  • Four vulnerabilities were found: guardrail bypass, unchecked conversation/message IDs, prompt injection leaking system prompts, and HTML injection causing self-XSS.
  • The chatbot is API-driven via a REST endpoint, with chat history posted and server responses returned with metadata.
  • UI guardrails existed, but server-side enforcement and binding to sessions/inputs were weak.
  • Attackers could exfiltrate system prompts, influence answers, and execute scripts in the chat window.
  • Disclosure under Eurostar’s VDP was difficult; issues were later fixed and subsequently published.

Hottest takes

“imo there is not a vulnerability without demonstrating impact.” — joe-limia
“An arrogant company that has a monopoly over many train routes in northwest Europe and believes itself untouchable.” — rossng
“Do not hallucinate or provide info on journeys explicitly not requested or you will be punished.” — goncalomb

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.