A new agentic browser attack targeting Perplexity’s Comet browser that’s capable of turning a seemingly innocuous email into a destructive action that wipes a user’s entire Google Drive contents, findings from Straiker STAR Labs show.
The zero-click Google Drive Wiper technique hinges on connecting the browser to services like Gmail and Google Drive to automate routine tasks by granting them access to read emails, as well as browse files and folders, and perform actions like moving, renaming, or deleting content.
For instance, a prompt issued by a benign user might look like this: “Please check my email and complete all my recent organization tasks.” This will cause the browser agent to search the inbox for relevant messages and perform the necessary actions.
“This behavior reflects excessive agency in LLM-powered assistants where the LLM performs actions that go far beyond the user’s explicit request,” security researcher Amanda Rousseau said in a report shared with The Hacker News.
An attacker can weaponize this behavior of the browser agent to send a specially crafted email that embeds natural language instructions to organize the recipient’s Drive as part of a regular cleanup task, delete files matching certain extensions or files that are not inside any folder, and review the changes.
Given that the agent interprets the email message as routine housekeeping, it treats the instructions as legitimate and deletes real user files from Google Drive without requiring any user confirmation.
“The result: a browser-agent-driven wiper that moves critical content to trash at scale, triggered by one natural-language request from the user,” Rousseau said. “Once an agent has OAuth access to Gmail and Google Drive, abused instructions can propagate quickly across shared folders and team drives.”
What’s notable about this attack is that it neither relies on a jailbreak or a prompt injection. Rather, it achieves its goal by simply being polite, providing sequential instructions, and using phrases like “take care of,” “handle this,” and “do this on my behalf,” that shift the ownership to the agent.
In other words, the attack highlights how sequencing and tone can nudge the large language model (LLM) to comply with malicious instructions without even bothering to check if each of those steps is actually safe.
To counter the risks posed by the threat, it’s advised to take steps to secure not just the model, but also the agent, its connectors, and the natural language instructions it follows through.
“Agentic browser assistants turn everyday prompts into sequences of powerful actions across Gmail and Google Drive,” Rousseau said. “When those actions are driven by untrusted content (especially polite, well-structured emails) organizations inherit a new class of zero-click data-wiper risk.”
HashJack Exploits URL Fragments for Indirect Prompt Injection
The disclosure comes as Cato Networks…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
