Courageous disclosed safety vulnerabilities in AI browsers that would enable malicious web sites to hijack AI assistants and entry delicate person accounts.
The problems have an effect on Perplexity Comet, Fellou, and probably different AI browsers that may take actions on behalf of customers.
The vulnerabilities stem from oblique immediate injection assaults the place web sites embed hidden directions that AI browsers course of as legit person instructions. Courageous printed the findings after reporting the problems to affected corporations.
What Courageous Discovered
Perplexity Comet Vulnerability
Comet’s screenshot function will be exploited by embedding practically invisible textual content in webpages.
When customers take screenshots to ask questions, the AI extracts hidden textual content utilizing what seems to be OCR and processes it as instructions slightly than untrusted content material.
Courageous notes Comet isn’t open-source, so this habits is inferred and might’t be verified from supply code.
The hidden directions use faint colours that people can barely see however AI programs extract and execute. This lets attackers difficulty instructions to the AI assistant with out the person’s data.
Fellou Navigation Vulnerability
Fellou browser sends webpage content material to its AI system when customers navigate to a website.
Asking the AI assistant to go to a webpage causes the browser to cross the web page’s seen content material to the AI in a manner that lets the webpage textual content override person intent.
This implies visiting a malicious website might set off unintended AI actions with out requiring express person interplay with the AI assistant.
Entry To Delicate Accounts
The vulnerabilities grow to be harmful as a result of AI assistants function with person authentication privileges.
A hijacked AI browser can entry banking websites, electronic mail suppliers, work programs, and cloud storage the place customers stay logged in.
Courageous notes that even summarizing a Reddit put up might end in attackers stealing cash or non-public information if the put up comprises hidden malicious directions.
Trade Context
Courageous describes oblique immediate injection as a systemic problem going through AI browsers slightly than an remoted difficulty.
The issue revolves round AI programs failing to tell apart between trusted person enter and untrusted webpage content material when developing prompts.
Courageous is withholding particulars of 1 extra vulnerability present in one other browser till subsequent week.
Why This Issues
Courageous argues that conventional net safety fashions break when AI brokers act on behalf of customers.
Pure language directions on any webpage can set off cross-domain actions reaching banks, healthcare suppliers, company programs, and electronic mail hosts.
Similar-origin coverage protections grow to be irrelevant as a result of AI assistants execute with full person privileges throughout all authenticated websites.
The disclosure arrives the identical day OpenAI launched ChatGPT Atlas with agent mode capabilities, highlighting the strain between AI browser performance and safety.
Folks utilizing AI browsers with agent options face a tradeoff between automation capabilities and publicity to those systemic vulnerabilities.
Wanting Forward
Courageous’s analysis continues with extra findings scheduled for disclosure subsequent week.
The corporate indicated it’s exploring longer-term options to handle the belief boundary issues in agentic shopping.
Featured Picture: Who’s Danny/Shutterstock
