AI Browser Security Alert: Researchers Uncover Critical Vulnerabilities
Security researchers have uncovered critical vulnerabilities in popular AI-powered browsers like Perplexity’s Comet and OpenAI’s ChatGPT Atlas that could allow hackers to hijack AI assistants and perform unauthorized actions using users’ logged-in privileges.
Key Security Risks Identified
- Indirect prompt injection attacks can hijack AI assistants
- Hidden commands embedded in webpages or images trigger malicious actions
- Attackers can bypass security parameters of multiple AI browsers
- Vulnerability affects user privacy and account security
How the Attack Works
Brave researchers discovered that malicious websites can exploit a technique called ‘indirect prompt injection’ to hijack AI assistants. Hackers embed hidden commands within webpages, social media comments, or images that the AI mistakenly interprets as legitimate user instructions.
“An attacker embeds malicious instructions in Web content that are hard to see for humans. In our attack, we were able to hide prompt injection instructions in images using a faint light blue text on a yellow background. This means that the malicious instructions are effectively hidden from the user,” Brave explained in their blog post.
Multiple Browsers Affected
The security flaw isn’t limited to Perplexity’s Comet. Researchers also bypassed security parameters in another AI browser called Felou. When users ask the browser to visit a website, it sends the site’s content to its language model, potentially including hidden malicious commands.
“The security vulnerability we found in Perplexity’s Comet browser this summer is not an isolated issue. Indirect prompt injections are a systemic problem facing Comet and other AI-powered browsers,” Brave warned.
OpenAI’s Awareness of Risks
Even OpenAI acknowledged the security challenges during the launch of ChatGPT Atlas. “Despite all of the power and awesome capabilities that you get with sharing your browser with ChatGPT, that also poses an entirely new set of risks,” an OpenAI employee admitted during the live-stream.
While OpenAI states that Atlas cannot access computer data beyond browser tabs, the company hasn’t clarified specific protections against prompt injection attacks. Some users already report that Atlas may be vulnerable to similar security flaws as Comet.
