OpenAI's Atlas and Perplexity's Comet browsers are vulnerable to attacks that spoof the built-in AI sidebar and can lead users into following malicious instructions.
The AI Sidebar Spoofing attack was devised by researchers at browser security company SquareX and works on the latest versions of the two browsers.
The researchers created three realistic attack scenarios where a threat actor could use AI Sidebar Spoofing to steal cryptocurrency, access a target's Gmail and Google Drive services, and hijack a device.
Atlas and Comet are agentic AI browsers that integrate large language models (LLMs) into a sidebar for users to interact with while browsing: ask to summarize the current page, execute commands, or perform automated tasks.
Comet was released in July, while ChatGPT Atlas became available for macOS earlier this week. Since its release, Comet has been the target of multiple research [1, 2, 3] showing that it comes with security risks under certain circumstances.
Injecting a rogue AI agent
SquareX found that in both Comet and Atlas, it is possible to draw a fake sidebar over the genuine one using a malicious extension that injects JavaScript into the web page the user sees.
The fake sidebar would be identical to the one in the agentic browser, creating a deceptive element that appears to be part of the standard user interface. Since the counterfeit overlays the real one and intercepts all interactions, users would be completely unaware of the fraud.
"Once the victim opens a new browser tab, the extension can inject javascript into the web page to create a fake sidebar that looks exactly the same as the AI Browser's sidebar" - SquareX.
By using an extension, the injected JavaScript can render the malicious sidebar overlay on every site the user visits.
... continue reading