Expedia’s chatbot instructs on how to make a Molotov cocktail

Travel agency Expedia has launched a ChatGPT-based AI travel planner that does far more than its initial purpose. For example, it instructs users on how to make a Molotov cocktail.

The mass adoption of large language model-powered chatbots has penetrated businesses far and wide. So it came as no surprise when Expedia, an online travel agency, adopted an AI Travel planner to help customers arrange their trips more efficiently. After all, who hasn’t asked ChatGPT, Claude, or another model to help with an itinerary?

However, the Cybernews research team has discovered that the AI travel planner can really spice things up, like teaching how to make a Molotov cocktail without blinking twice. Expedia’s chatbot provided a short summary of the cocktails’ history and added detailed instructions, from necessary materials to the incendiary device’s assembly.

“Although nobody is going to go to Expedia to learn how to commit crimes, it highlights the issue of the possibility of abuse, the possibility of getting Expedia suspended from its ChatGPT licence, and causing legal harm to the company itself,” the team explained.

“While there is no reason to believe customer data could have been affected in this case, such cases come with their own problems.”

Our researchers also highlighted the fact that customer-support chatbots without the appropriate guardrails expose companies to legal, financial, and reputational risk.

“Real-world cases show companies being held liable for bots’ misstatements (Air Canada), brands going viral for abusive or self-sabotaging bot behavior (DPD), as well as market value impacts from visible AI errors (Google Bard demo). Allowing users to modify the bot's behavior can lead to reputation damage and stock price losses.”

We have reached out to the company for comment and will update the article once we receive a reply. After the team contacted Expedia, the chatbot was fixed and no longer allows any off-topic conversations.

What is AI jailbreaking?

Manipulating chatbots into bypassing the safety rules their creators built in is called jailbreaking. Attackers craft prompts designed to trick the AI into ignoring security rules and providing them with malicious or harmful content.

While asking a chatbot for instructions on making a Molotov cocktail may sound somewhat comical, it highlights how malicious actors can leverage AI adoption for their own benefit. The same tactics can be utilized to trick chatbots into revealing sensitive information.

Earlier this year, Cybernews researchers discovered critical vulnerabilities affecting Lenovo’s implementation of its AI chatbot, Lena, powered by OpenAI’s GPT-4.

Designed to assist customers, Lena could also be compelled to run unauthorized scripts on corporate machines, spill active session cookies, and more. Attackers can abuse the XSS vulnerabilities as a direct pathway into the company’s customer support platform.

Meanwhile, other researchers managed to trick the Chinese chatbot DeepSeek into crafting a Chrome infostealer. One researcher, with no prior malware experience, was able to successfully create malware capable of wiping sensitive information.

After OpenAI launched its latest model, GPT-5, several security teams managed to jailbreak the chatbot in less than 24 hours after it was released.