Enterprise browser safety agency SquareX has demonstrated how malicious browser extensions can impersonate AI sidebar interfaces for phishing and different nefarious functions.
The assault technique, named AI Sidebar Spoofing, has been demonstrated towards Perplexity’s Comet and ChatGPT Atlas, OpenAI’s new net browser. Nevertheless, SquareX contends it is a systemic flaw; not solely AI browsers, but additionally Edge, Courageous and Firefox, are vulnerable.
AI sidebars are AI chat home windows built-in into net browsers, usually displayed on the facet of the display, processing content material on the present web page or performing actions primarily based on consumer prompts.
ChatGPT Atlas and Comet are devoted AI browsers, however purposes resembling Edge and Chrome additionally combine AI assistants powered by Copilot and Gemini. Firefox and Courageous even have an AI sidebar, however they use third-party chatbots quite than having their very own proprietary LLM.
SquareX researchers have proven how menace actors can spoof trusted AI sidebars in browsers by getting the focused consumer to put in a malicious browser extension. The extension may be created by the attacker from scratch and disguised as a innocent instrument or it may be a professional extension that has been compromised and modified.
It’s value noting that the malicious extension requires host and storage permissions, however the safety agency identified that these are frequent permissions required by many fashionable extensions.
When the sufferer opens a brand new browser tab, the malicious extension injects JavaScript into the web page to create a faux sidebar that may be a good reproduction of the professional AI sidebar.
“Since there isn’t any visible and workflow distinction between the spoofed and actual AI sidebar, the consumer will probably imagine that they’re interacting with the actual AI browser sidebar,” SquareX defined.Commercial. Scroll to proceed studying.
“As soon as the consumer enters a immediate into the spoofed AI sidebar, the extension hooks into its LLM to generate a response. Nevertheless, the important thing distinction is when it detects prompts that request for sure directions/guides, it should manipulate the responses to incorporate malicious steps that the consumer will then execute,” it added.
SquareX has proven how AI Sidebar Spoofing may be leveraged for phishing and malware distribution. As an example, the malicious sidebar can direct customers to a phishing web site once they ask about cryptocurrency companies.
If the sufferer needs assist with the set up of an app that requires the execution of instructions, the faux AI sidebar can show directions for executing a reverse shell that gives distant entry to the system, enabling the deployment of malware.
Along with utilizing malicious browser extensions, SquareX identified, attackers can arrange web sites which have a natively built-in spoofed AI sidebar. Nevertheless, the assault vector involving malicious extensions is extra important as it may be executed on any web site.
SquareX informed SecurityWeek that its findings have been reported to Perplexity and OpenAI.
Nevertheless, these kind of vulnerabilities are usually tough to totally deal with contemplating {that a} profitable assault requires important interplay from the sufferer.
OpenAI identified within the weblog submit asserting Atlas that it has added safeguards to stop numerous dangers. As an example, the ChatGPT agent can’t run code within the browser, obtain recordsdata, or set up extensions, and it can’t entry different apps on the system.
Nevertheless, these kind of protections have a restricted impact if an attacker makes use of social engineering to trick the sufferer into putting in an extension, interacting with the faux AI sidebar, and trusting the directions supplied by the chatbot.
Assaults involving malicious browser extensions had been beforehand demonstrated towards fashionable LLMs resembling ChatGPT, Gemini, Copilot, Claude and DeepSeek.
Associated: Neon Cyber Emerges From Stealth, Shining a Gentle Into the Browser
Associated: GitHub Copilot Chat Flaw Leaked Information From Non-public Repositories
Associated: Google DeepMind’s New AI Agent Finds and Fixes Vulnerabilities
