Dec 05, 2025Ravie LakshmananEmail Safety / Risk Analysis
A brand new agentic browser assault focusing on Perplexity’s Comet browser that is able to turning a seemingly innocuous electronic mail right into a harmful motion that wipes a person’s complete Google Drive contents, findings from Straiker STAR Labs present.
The zero-click Google Drive Wiper method hinges on connecting the browser to companies like Gmail and Google Drive to automate routine duties by granting them entry to learn emails, in addition to browse recordsdata and folders, and carry out actions like transferring, renaming, or deleting content material.
As an example, a immediate issued by a benign person may appear like this: “Please verify my electronic mail and full all my latest group duties.” This may trigger the browser agent to go looking the inbox for related messages and carry out the mandatory actions.
“This conduct displays extreme company in LLM-powered assistants the place the LLM performs actions that go far past the person’s specific request,” safety researcher Amanda Rousseau mentioned in a report shared with The Hacker Information.
An attacker can weaponize this conduct of the browser agent to ship a specifically crafted electronic mail that embeds pure language directions to prepare the recipient’s Drive as a part of an everyday cleanup job, delete recordsdata matching sure extensions or recordsdata that aren’t inside any folder, and evaluation the adjustments.
On condition that the agent interprets the e-mail message as routine housekeeping, it treats the directions as legit and deletes actual person recordsdata from Google Drive with out requiring any person affirmation.
“The end result: a browser-agent-driven wiper that strikes vital content material to trash at scale, triggered by one natural-language request from the person,” Rousseau mentioned. “As soon as an agent has OAuth entry to Gmail and Google Drive, abused directions can propagate rapidly throughout shared folders and group drives.”
What’s notable about this assault is that it neither depends on a jailbreak or a immediate injection. Moderately, it achieves its purpose by merely being well mannered, offering sequential directions, and utilizing phrases like “handle,” “deal with this,” and “do that on my behalf,” that shift the possession to the agent.
In different phrases, the assault highlights how sequencing and tone can nudge the massive language mannequin (LLM) to adjust to malicious directions with out even bothering to verify if every of these steps is definitely secure.
To counter the dangers posed by the menace, it is suggested to take steps to safe not simply the mannequin, but in addition the agent, its connectors, and the pure language directions it follows via.
“Agentic browser assistants flip on a regular basis prompts into sequences of highly effective actions throughout Gmail and Google Drive,” Rousseau mentioned. “When these actions are pushed by untrusted content material (particularly well mannered, well-structured emails) organizations inherit a brand new class of zero-click data-wiper threat.”
HashJack Exploits URL Fragments for Oblique Immediate Injection
The disclosure comes as Cato Networks demonstrated one other assault geared toward synthetic intelligence (AI)-powered browsers that hides rogue prompts after the “#” image in legit URLs (e.g., “www.instance[.]com/residence#”) to deceive the brokers into executing them. The method has been dubbed HashJack.
In an effort to set off the client-side assault, a menace actor can share such a specifically crafted URL through electronic mail, social media, or by embedding it immediately on an internet web page. As soon as the sufferer hundreds the web page and asks the AI browser a related query, it executes the hidden immediate.
“HashJack is the primary identified oblique immediate injection that may weaponize any legit web site to control AI browser assistants,” safety researcher Vitaly Simonovich mentioned. “As a result of the malicious fragment is embedded in an actual web site’s URL, customers assume the content material is secure whereas hidden directions secretly manipulate the AI browser assistant.”
Following accountable disclosure, Google categorised it as “will not repair (supposed conduct)” and low severity, whereas Perplexity and Microsoft have launched patches for his or her respective AI browsers (Comet v142.0.7444.60 and Edge 142.0.3595.94). Claude for Chrome and OpenAI Atlas have been discovered to be proof against HashJack.
It is price noting that Google doesn’t deal with policy-violating content material era and guardrail bypasses as safety vulnerabilities beneath its AI Vulnerability Reward Program (AI VRP).
