Eurostar’s AI Chatbot Crisis: Security Warnings Labeled as “Blackmail”

Picture this: A routine train booking turns into a cyber drama when researchers stumble upon gaping holes in the defenses of Eurostar’s shiny new AI chatbot. Instead of gratitude for flagging the risks, the whistleblowers are met with accusations of extortion. For one of Europe’s most iconic rail operators, the rush to deploy artificial intelligence may have come with unexpected - and embarrassing - security baggage.

Fast Facts

• Pen Test Partners (PTP) discovered serious vulnerabilities in Eurostar’s AI chatbot in June 2025.
• Flaws included weak security checks, HTML injection, and unverified conversation IDs.
• Reporting the bugs led to Eurostar accusing the researchers of blackmail.
• The vulnerabilities have since been patched, but only after delays and confusion.
• Experts warn that AI features do not excuse neglecting tried-and-true web security.

How a Simple Booking Became a Security Scandal

The saga began innocently enough: an ethical hacker planning a Eurostar trip noticed that the company’s new AI chatbot was a little too eager to help. By tweaking previous messages in a chat thread, the researchers realized the bot only checked the very last message for safety - effectively leaving the door wide open for manipulation.

This oversight allowed PTP to use “prompt injection” - a method of tricking AI systems - to coax the chatbot into revealing its own operational secrets, including the type of AI model running under the hood. But the rabbit hole went deeper. The chatbot was also vulnerable to HTML injection, meaning attackers could force it to display fake links or malicious code. Even more concerning, the system failed to verify if chat sessions belonged to the right users, raising the specter of attackers hijacking or replaying private conversations.

Reporting Roadblocks and Reputational Fallout

Instead of a swift fix, the researchers encountered a bureaucratic maze. Their initial warnings to Eurostar in June 2025 were met with silence. When they finally reached the company’s security lead via LinkedIn, Eurostar claimed they had no record of the reports - apparently due to an outsourced security process. The most shocking twist came when Eurostar accused the researchers of blackmail, despite operating a public vulnerability disclosure program.

“We had disclosed a vulnerability in good faith,” the PTP team stated, expressing disbelief at the hostile reception. The issues were eventually patched, but the episode highlights a recurring pattern: as companies race to integrate AI into customer services, basic cybersecurity hygiene sometimes falls by the wayside.

Lessons from the Tunnel

Eurostar’s chatbot debacle serves as a cautionary tale for any organization dazzled by AI’s promise. Without robust security behind the scenes, even the most sophisticated digital assistants can become liabilities. For ethical hackers and security researchers, the message is equally clear: responsible disclosure can still be a bumpy ride, even in 2025.

WIKICROOK

• Prompt Injection: Prompt injection is when attackers feed harmful input to an AI, causing it to act in unintended or dangerous ways, often bypassing normal safeguards.
• Guardrails: Guardrails are built-in rules or systems that prevent AI from generating unsafe, offensive, or dangerous content, protecting users and upholding safety.
• HTML Injection: HTML Injection is when attackers insert unauthorized HTML code into a site, changing how it looks or behaves for users and posing security risks.
• Vulnerability Disclosure Program: A Vulnerability Disclosure Program allows researchers to safely report security flaws to organizations, helping them fix issues before attackers exploit them.
• Session Replay Attack: A session replay attack lets attackers intercept and reuse user session data, allowing them to impersonate users and access sensitive information.