A brand new agentic browser assault concentrating on Perplexity’s Comet browser that is able to turning a seemingly innocuous electronic mail right into a damaging motion that wipes a person’s complete Google Drive contents, findings from Straiker STAR Labs present.
The zero-click Google Drive Wiper method hinges on connecting the browser to companies like Gmail and Google Drive to automate routine duties by granting them entry to learn emails, in addition to browse recordsdata and folders, and carry out actions like transferring, renaming, or deleting content material.
For example, a immediate issued by a benign person may appear to be this: “Please test my electronic mail and full all my current group duties.” This may trigger the browser agent to go looking the inbox for related messages and carry out the required actions.
“This conduct displays extreme company in LLM-powered assistants the place the LLM performs actions that go far past the person’s express request,” safety researcher Amanda Rousseau stated in a report shared with The Hacker Information.
An attacker can weaponize this conduct of the browser agent to ship a specifically crafted electronic mail that embeds pure language directions to prepare the recipient’s Drive as a part of a daily cleanup activity, delete recordsdata matching sure extensions or recordsdata that aren’t inside any folder, and evaluation the adjustments.
On condition that the agent interprets the e-mail message as routine housekeeping, it treats the directions as respectable and deletes actual person recordsdata from Google Drive with out requiring any person affirmation.
“The outcome: a browser-agent-driven wiper that strikes vital content material to trash at scale, triggered by one natural-language request from the person,” Rousseau stated. “As soon as an agent has OAuth entry to Gmail and Google Drive, abused directions can propagate shortly throughout shared folders and group drives.”
What’s notable about this assault is that it neither depends on a jailbreak or a immediate injection. Relatively, it achieves its purpose by merely being well mannered, offering sequential directions, and utilizing phrases like “handle,” “deal with this,” and “do that on my behalf,” that shift the possession to the agent.
In different phrases, the assault highlights how sequencing and tone can nudge the massive language mannequin (LLM) to adjust to malicious directions with out even bothering to test if every of these steps is definitely protected.
To counter the dangers posed by the menace, it is suggested to take steps to safe not simply the mannequin, but in addition the agent, its connectors, and the pure language directions it follows via.
“Agentic browser assistants flip on a regular basis prompts into sequences of highly effective actions throughout Gmail and Google Drive,” Rousseau stated. “When these actions are pushed by untrusted content material (particularly well mannered, well-structured emails) organizations inherit a brand new class of zero-click data-wiper danger.”
HashJack Exploits URL Fragments for Oblique Immediate Injection
The disclosure comes as Cato Networks demonstrated one other assault geared toward synthetic intelligence (AI)-powered browsers that hides rogue prompts after the “#” image in respectable URLs (e.g., “www.instance[.]com/dwelling#
So as to set off the client-side assault, a menace actor can share such a specifically crafted URL through electronic mail, social media, or by embedding it immediately on an internet web page. As soon as the sufferer masses the web page and asks the AI browser a related query, it executes the hidden immediate.
“HashJack is the primary identified oblique immediate injection that may weaponize any respectable web site to control AI browser assistants,” safety researcher Vitaly Simonovich stated. “As a result of the malicious fragment is embedded in an actual web site’s URL, customers assume the content material is protected whereas hidden directions secretly manipulate the AI browser assistant.”
Following accountable disclosure, Google labeled it as “will not repair (meant conduct)” and low severity, whereas Perplexity and Microsoft have launched patches for his or her respective AI browsers (Comet v142.0.7444.60 and Edge 142.0.3595.94). Claude for Chrome and OpenAI Atlas have been discovered to be proof against HashJack.
It is price noting that Google doesn’t deal with policy-violating content material era and guardrail bypasses as safety vulnerabilities beneath its AI Vulnerability Reward Program (AI VRP).
