Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label AI Browser Security. Show all posts
Technology
AI Agent Security AI Browser Security Browser Extension Attack Chrome Gemini Vulnerability Chrome Security Flaw CVE-2026-0628 Gemini Live Exploit Technology

Chrome Gemini Live Bug Highlighted Serious Privacy Risks for Users


As long as modern web browsers have been around, they have emphasized a strict separation principle, where extensions, web pages, and system-level capabilities operate within carefully defined boundaries. 

Recently, a vulnerability was disclosed in the “Live in Chrome” panel of Google Chrome, a built-in interface for the Gemini assistant that offers agent-like AI capabilities directly within the browser environment that challenged this assumption. 

In a high-severity vulnerability, CVE-2026-0628, security researchers have identified, it is possible for a low-privileged browser extension to inject malicious code into Gemini's side panel and effectively inherit elevated privileges. 

Attackers may be able to evade sensitive functions normally restricted to the assistant by piggybacking on this trusted interface, which includes viewing local files, taking screenshots, and activating the camera or microphone of the device. While the issue was addressed in January's security update, the incident illustrates a broader concern emerging as artificial intelligence-powered browsing tools become more prevalent.

In light of the increasing visibility of user activity and system resources by intelligent assistants, traditional security barriers separating browser components are beginning to blur, creating new and complex opportunities for exploitation. 

The researchers noted that this flaw could have allowed a relatively ordinary browser extension to control the Gemini Live side panel, even though the extension operated with only limited permissions. 

By granting an extension declarativeNetRequest capability, an extension can manipulate network requests in a manner that allows JavaScript to be injected directly into the Gemini privileged interface rather than just in the standard web application pages of Gemini. 

Although request interception within a regular browser tab is considered normal and expected behavior for some extensions, the same activity occurring within the Gemini side panel carried a far greater security risk.

Whenever code executed within this environment inherits the assistant's elevated privileges, it could be able to access local files and directories, capture screenshots of active web pages, or activate the device's camera and microphone without the explicit knowledge of the user. 

According to security analysts, the issue is not merely a conventional extension vulnerability, but is rather the consequence of a fundamental architectural shift occurring within modern browsers as artificial intelligence capabilities become increasingly embedded in the browser. 

According to security researchers, the vulnerability, internally referred to as Glic Jack, short for Gemini Live in Chrome hijack, illustrates how the growing presence of AI-driven functions within browsers can unintentionally lead to new opportunities for abuse. If exploited successfully, the flaw could have allowed an attacker to escalate privileges beyond what would normally be permitted for browser extensions. 

When operating within the trusted assistant interface, malicious code may be able to activate the victim's camera or microphone without permission, take screenshots of arbitrary websites, or obtain sensitive information from local files. Normally, such capabilities are reserved for browser components designed to assist users with advanced automation tasks, but due to this vulnerability, the boundaries were effectively blurred by allowing untrusted code to take the same privileges.

Furthermore, the report highlights that this emerging category of so-called AI or agentic browsers is primarily based on integrated assistants that are capable of monitoring and interacting with user activity as it occurs. There has been a broader shift toward AI-augmented browsing environments, as evidenced by platforms such as Atlas, Comet, and Copilot within Microsoft Edge, as well as Gemini in Google Chrome.

Typically, these platforms feature an integrated assistant panel that summarizes content in real time, automates routine actions, and provides contextual guidance based on the page being viewed. By receiving privileged access to what a user sees and interacts with, the assistant often allows it to perform complex, multi-step tasks across multiple sites and local resources, allowing it to perform these functions. 

CVE-2026-0628, however, presented an unexpected attack surface as a consequence of that same level of integration: malicious code was able to exercise capabilities far beyond those normally available to extensions by compromising the trusted Gemini panel itself.

Chrome 143 was eventually released to address the vulnerability, however the incident underscores a growing security challenge as browsers evolve into intelligent platforms blending traditional web interfaces with deep integrations of artificial intelligence systems. It is noted that as artificial intelligence features become increasingly embedded into everyday browsing tools, the incident reflects an emerging structural challenge. 

Incorporating an agent-driven assistant directly into the browser allows the user to observe page content, interpret context and perform multi-step tasks such as summarizing information, translating text, or completing tasks on their behalf. In order for these systems to provide the level of functionality they require, extensive visibility into the browsing environment and privileged access to browser resources are required.

It is not surprising that AI assistants can be extremely useful productivity tools, but this architecture also creates the possibility of malicious content attempting to manipulate the assistant itself. For instance, a carefully crafted webpage may contain hidden prompts that can influence the behavior of the AI. 

A user could potentially be persuaded-through phishing, social engineering, or deceptive links-to open a phishing-type webpage by the instructions, which could lead the assistant to perform operations which are otherwise restricted by the browser's security model, such as retrieving sensitive data or performing unintended actions, if such instructions are provided.

According to researchers, malicious prompts may be able to persist in more advanced scenarios by affecting the AI assistant's memory or contextual information between sessions in more advanced scenarios. By incorporating instructions into the browsing interaction itself, attackers may attempt to create an indirect persistence scenario that results in the assistant following manipulated directions even after the original webpage has been closed by embedding instructions within the browsing interaction itself. 

In spite of the fact that such techniques remain largely theoretical in many environments, they show how artificial intelligence-driven interfaces create entirely new attack surfaces that traditional browser security models were not designed to address. Analysts have cautioned that integrating assistant panels directly into the browser's privileged environment can also reactivate longstanding web security threats. 

Researchers at Unit 42 have found that placement of AI components within high-trust browser contexts might inadvertently expose them to bugs such as cross-site scripting, privilege escalation, and side-channel attacks. 

Omer Weizman, a security researcher, explained that embedded complex artificial intelligence systems into privileged browser components increases the likelihood that unintended interactions can occur between lower privilege websites or extensions due to logical or implementation oversights. It is therefore important to point out that CVE-2026-0628 serves as a cautionary example of how advances in AI-assisted browsing must be accompanied by equally sophisticated security safeguards in order to ensure that convenience does not compromise the privacy of the user or the integrity of the system. 

There is no doubt that the discovery serves as a timely reminder to security professionals and browser developers regarding the need for a rigorous approach to security design and oversight in the rapid integration of artificial intelligence into core browsing environments. With the increasing capabilities of assistants embedded within platforms, such as Google Chrome, to observe content, interact with system resources, and automate complex workflows through services such as Gemini, the traditional browser trust model has to evolve in order to accommodate these expanded privileges.

Moreover, researchers recommend that organizations and users remain cautious when installing extensions on their browsers, keep browsers up to date with the latest security patches, and treat AI-powered automation features with the same scrutiny as other high-privilege components. It is also important for the industry to ensure that the convenience offered by intelligent assistants does not outpace the safeguards necessary to contain them. 

As the next generation of artificial intelligence-augmented browsers continues to develop, strong isolation boundaries, hardened interfaces, and an anticipatory response to prompts will likely become essential priorities.
Read more »
online privacy concerns
AI Browser Security AI Browsers AI cyberattacks AI technology Cyber Security Data Theft online privacy concerns

AI Browsers Raise Privacy and Security Risks as Prompt Injection Attacks Grow

 

A new wave of competition is stirring in the browser market as companies like OpenAI, Perplexity, and The Browser Company aggressively push to redefine how humans interact with the web. Rather than merely displaying pages, these AI browsers will be engineered to reason, take action independently, and execute tasks on behalf of end users. At least four such products, including ChatGPT's Atlas, Perplexity's Comet, and The Browser Company's Dia, represent a transition reminiscent of the early browser wars, when Netscape and Internet Explorer battled to compete for a role in the shaping of the future of the Internet. 

Whereas the other browsers rely on search results and manual navigation, an AI browser is designed to understand natural language instructions and perform multi-step actions. For instance, a user can ask an AI browser to find a restaurant nearby, compare options, and make a reservation without the user opening the booking page themselves. In this context, the browser has to process both user instructions and the content of each of the webpages it accesses, intertwining decision-making with automation. 

But this capability also creates a serious security risk that's inherent in the way large language models work. AI systems cannot be sure whether a command comes from a trusted user or comes with general text on an untrusted web page. Malicious actors may now inject malicious instructions within webpages, which can include uses of invisible text, HTML comments, and image-based prompts. Unbeknownst to them, that might get processed by an AI browser along with the user's original request-a type of attack now called prompt injection. 

The consequence of such attacks could be dire, since AI browsers are designed to gain access to sensitive data in order to function effectively. Many ask for permission to emails, calendars, contacts, payment information, and browsing histories. If compromised, those very integrations become conduits for data exfiltration. Security researchers have shown just how prompt injections can trick AI browsers into forwarding emails, extracting stored credentials, making unauthorized purchases, or downloading malware without explicit user interaction. One such neat proof-of-concept was that of Perplexity's Comet browser, wherein the researchers had embedded command instructions in a Reddit comment, hidden behind a spoiler tag. When the browser arrived and was asked to summarise the page, it obediently followed the buried commands and tried to scrape email data. The user did nothing more than request a summary; passive interactions indeed are enough to get someone compromised. 

More recently, researchers detailed a method called HashJack, which abuses the way web browsers process URL fragments. Everything that appears after the “#” in a URL never actually makes it to the server of a given website and is only accessible to the browser. An attacker can embed nefarious commands in this fragment, and AI-powered browsers may read and act upon it without the hosting site detecting such commands. Researchers have already demonstrated that this method can make AI browsers show the wrong information, such as incorrect dosages of medication on well-known medical websites. Though vendors are experimenting with mitigations, such as reinforcement learning to detect suspicious prompts or restricting access during logged-out browsing sessions, these remain imperfect. 

The flexibility that makes AI browsers useful also makes them vulnerable. As the technology is still in development, it shows great convenience, but the security risks raise questions of whether fully trustworthy AI browsing is an unsolved problem.
Read more »
prompt injection attacks
AI Browser Security AI vulnerabilities Atlas Browser Comet Browser Cybersecurity Threats Digital Privacy Risks Online Safety Privacy prompt injection attacks

AI Browsers Spark Debate Over Privacy and Cybersecurity Risks

 


With the rapid development of artificial intelligence, the digital landscape continues to undergo a reshaping process, and the internet browser itself seems to be the latest frontier in this revolution. After the phenomenal success of AI chatbots such as ChatGPT, Google Gemini, and Perplexity, tech companies are now racing to integrate the same kind of intelligence into the very tool that people use every day to navigate the world online. 

A recent development by Google has been the integration of Gemini into its search engine, while both OpenAI and Perplexity have released their own AI-powered browsers, Atlas and Perplexity, all promising a more personalised and intuitive way to browse online content. In addition to offering unprecedented convenience and conversational search capabilities for users, this innovation marks the beginning of a new era in information access. 

In spite of the excitement, cybersecurity professionals remain increasingly concerned. There is a growing concern among experts that intelligent systems are inadvertently exposing users to sophisticated cyber risks in spite of enhancing their user experience. 

A context-aware interaction or dynamic data retrieval feature that allows users to interact with their environment can be exploited through indirect prompt injection and other manipulation methods, which may allow attackers to exploit the features. 

It is possible that these vulnerabilities may allow malicious actors to access sensitive data such as personal files, login credentials, and financial information, which raises the risk of data breaches and cybercriminals. In these new eras of artificial intelligence, where the boundaries between browsing and AI are blurring, there has become an increasing urgency in ensuring that trust, transparency, and safety are maintained on the Internet. 

AI browsers continue to divide experts when it comes to whether they are truly safe to use, and the issue becomes increasingly complicated as the debate continues. In addition to providing unprecedented ease of use and personalisation, ChatGPT's Atlas and Perplexity's Comet represent the next generation of intelligent browsers. However, they also introduce new levels of vulnerability that are largely unimaginable in traditional web browsers. 

It is important to understand that, unlike conventional browsers, which are just gateways to online content, these artificial intelligence-driven platforms function more like a digital assistant on their own. Aside from learning from user interactions, monitoring browsing behaviours, and even performing tasks independently across multiple sites, humans and machines are becoming increasingly blurred in this evolution, which has fundamentally changed the way we collect and process data today. 

A browser based on Artificial Intelligence watches and interprets each user's digital moves continuously, from clicks to scrolls to search queries and conversations, creating extensive behavioural profiles that outline users' interests, health concerns, consumer patterns, and emotional tendencies based on their data. 

Privacy advocates have argued for years that this level of surveillance is more comprehensive than any cookie or analytics tool on the market today, and represents a turning point in digital tracking. During a recent study by the Electronic Frontier Foundation, organisation discovered that Atlas retained search data related to sensitive medical inquiries, including names of healthcare providers, which raised serious ethical and legal concerns in regions that restricted certain medical procedures.

Due to the persistent memory architecture of these systems, they are even more contentious. While ordinary browsing histories can be erased by the user, AI memories, on the other hand, are stored on remote servers, which are frequently retained indefinitely. By doing so, the browser maintains long-term context. The system can use this to access vast amounts of sensitive data - ranging from financial activities to professional communications to personal messages - even long after the session has ended. 

These browsers are more vulnerable than ever because they require extensive access permissions to function effectively, which includes the ability to access emails, calendars, contact lists, and banking information. Experts have warned that such centralisation of personal data creates a single point of catastrophic failure—one breach could expose an individual's entire digital life. 

OpenAI released ChatGPT Atlas earlier this week, a new browser powered by artificial intelligence that will become a major player in the rapidly expanding marketplace of browsers powered by artificial intelligence. The Atlas browser, marketed as a browser that integrates ChatGPT into your everyday online experience, represents an important step forward in the company’s effort to integrate generative AI into everyday living. 

Despite being initially launched for Mac users, OpenAI promises to continue to refine its features and expand compatibility across a range of platforms in the coming months. As Atlas competes against competitors such as Perplexity's Comet, Dia, and Google's Gemini-enabled Chrome, the platform aims to redefine the way users interact with the internet—allowing ChatGPT to follow them seamlessly as they browse through the web. 

As described by OpenAI, ChatGPT's browser is equipped to interpret open tabs, analyse data on the page, and help users in real time, without requiring users to switch between applications or copy content manually. There have been a number of demonstrations that have highlighted the versatility of the tool, demonstrating its capability of completing a broad range of tasks, from ordering groceries and writing emails to summarising conversations, analysing GitHub repositories and providing research assistance. OpenAI has mentioned that Atlas utilises ChatGPT’s built-in memory in order to be able to remember past interactions and apply context to future queries based on those interactions.

There is a statement from the company about the company's new approach to creating a more intuitive, continuous user experience, in which the browser will function more as a collaborative tool and less as a passive tool. In spite of Atlas' promise, just as with its AI-driven competitors, it has stirred up serious issues around security, data protection and privacy. 

One of the most pressing concerns regarding prompt injection attacks is whether malicious actors are manipulating large language models to order them to perform unintended or harmful actions, which may expose customer information. Experts warn that such "agentic" systems may come at a significant security cost. 

 An attack like this can either occur directly through the user's prompts or indirectly by hiding hidden payloads within seemingly harmless web pages. A recent study by Brave researchers indicates that many AI browsers, including Comet and Fellou, are vulnerable to exploits like this. The attacker is thus able to bypass browser security frameworks and gain unauthorized access to sensitive domains such as banks, healthcare facilities, or corporate systems by bypassing browser security frameworks. 

It has also been noted that many prominent technologists have voiced their reservations. Simon Willison, a well-known developer and co-creator of the Django Web Framework, has urged that giving browsers the freedom to act autonomously on their users' behalf would pose grave risks. Even seemingly harmless requests, like summarising a Reddit post, could, if exploited via an injection vulnerability, be used to reveal personal or confidential information. 

With the advancement of artificial intelligence browsers, the tension between innovation and security becomes more and more intense, prompting the call for stronger safeguards before these tools become mainstream digital companions. There has been an increase in the number of vulnerabilities discovered by security researchers that make AI browsers a lot more dangerous than was initially thought, with prompt injection emerging as the most critical vulnerability. 

A malicious website can use this technique to manipulate AI-driven browser agents secretly, effectively turning them against a user. Researchers at Brave found that attackers are able to hide invisible instructions within webpage code, often rendered as white text on white backgrounds. These instructions are unnoticeable by humans but are easily interpreted by artificial intelligence systems. 

A user may be directed to perform unauthorised actions when they visit a web page containing embedded commands. For example, they may be directed to retrieve private e-mails, access financial data, or transfer money without their consent. Due to the inherent lack of contextual understanding that artificial intelligence systems possess, they can unwittingly execute these harmful instructions, with full user privileges, when they do not have the ability to differentiate between legitimate inputs from deceptive prompts. 

These attacks have caused a lot of attention among the cybersecurity community due to their scale and simplicity. Researchers from LayerX demonstrated the use of a technique called CometJacking, which was demonstrated as a way of hijacking Perplexity’s Comet browser into a sophisticated data exfiltration tool by a single malicious link. 

A simple encoding method known as Base64 encoding was used by attackers to bypass traditional browser security measures and sandboxes, allowing them to bypass the browser's protections. It is therefore important to know that the launch point for a data theft campaign could be a seemingly harmless comment on Reddit, a social media post, or even an email newsletter, which could expose sensitive personal or company information in an innocuous manner. 

The findings of this study illustrate the inherent fragility of artificial intelligence browsers, where independence and convenience often come at the expense of safety. It is important to note that cybersecurity experts have outlined essential defence measures for users who wish to experiment with AI browsers in light of these increasing concerns. 

Individuals should restrict permissions strictly, giving access only to non-sensitive accounts and avoiding involving financial institutions or healthcare institutions until the technology becomes more mature. By reviewing activity logs regularly, you can be sure that you have been alerted to unusual patterns or unauthorised actions in advance. A multi-factor authentication system can greatly enhance security across all linked accounts, while prompt software updates allow users to take advantage of the latest security patches. 

A key safeguard is to maintain manual vigilance-verifying URLs and avoiding automated interactions with unfamiliar or untrusted websites. Some prominent technologists have expressed doubts about these systems as well. A respected developer and co-creator of the Django Web Framework, Simon Willison, has warned that giving browsers the ability to act autonomously on behalf of users comes with profound risks.

It is noted that even benign requests, such as summarising a Reddit post, could inadvertently expose sensitive information if exploited by an injection vulnerability, and this could result in personal information being released into the public domain. With the advancement of artificial intelligence browsers, the tension between innovation and security becomes more and more intense, prompting the call for stronger safeguards before these tools become mainstream digital companions. 

There has been an increase in the number of vulnerabilities discovered by security researchers that make AI browsers a lot more dangerous than was initially thought, with prompt injection emerging as the most critical vulnerability. Using this technique, malicious websites have the ability to manipulate the AI-driven browsers, effectively turning them against their users. 

Brave researchers discovered that attackers are capable of hiding invisible instructions within the code of the webpages, often rendered as white text on a white background. The instructions are invisible to the naked eye, but are easily interpreted by artificial intelligence systems. The embedded commands on such pages can direct the browser to perform unauthorised actions, such as retrieving private emails, accessing financial information, and transferring funds, as a result of a user visiting such a page.

Since AI systems are inherently incapable of distinguishing between legitimate and deceptive user inputs, they can unknowingly execute harmful instructions with full user privileges without realising it. This attack has sparked the interest of the cybersecurity community due to its scale and simplicity. 

Researchers from LayerX have demonstrated a method of hijacking Perplexity's Comet browser by merely clicking on a malicious link, and using this technique, transforming the browser into an advanced data exfiltration tool. Attackers were able to bypass traditional browser security measures and security sandboxes by using simple methods like Base64 encoding.

It means that a seemingly harmless comment on Reddit, a post on social media, or an email newsletter can serve as a launch point for a data theft campaign, thereby potentially exposing sensitive personal and corporate information to a third party. There is no doubt that AI browsers are intrinsically fragile, where autonomy and convenience sometimes come at the expense of safety. The findings suggest that AI browsers are inherently vulnerable. 

It has become clear that security experts have identified essential defence measures to protect users who wish to experiment with AI browsers in the face of increasing concerns. It is suggested that individuals restrict their permissions as strictly as possible, granting access only to non-sensitive accounts and avoiding connecting to financial or healthcare services until the technology is well developed. 

In order to detect unusual patterns or unauthorised actions in time, it is important to regularly review activity logs. Multi-factor authentication is a vital component of protecting linked accounts, as it adds a new layer of security, while prompt software updates ensure that users receive the latest security patches on their systems. 

Furthermore, experts emphasise manual vigilance — verifying URLs and avoiding automated interactions with unfamiliar or untrusted websites remains crucial to protecting their data. There is, however, a growing consensus among professionals that artificial intelligence browsers, despite impressive demonstrations of innovation, remain unreliable for everyday use. 

Analysts at Proton concluded that AI browsers are no longer reliable for everyday use. This argument argues that the issue is not only technical, but is structural as well; privacy risks are a part of the very design of these systems themselves. AI browser developers, who prioritise functionality and personalisation over all else, have inherently created extensive surveillance architectures that rely heavily on user data in order to function as intended. 

It has been pointed out by OpenAI's own security leadership that prompt injection remains an unresolved frontier issue, thus emphasising that this emerging technology is still a very experimental and unsettled one. The consensus among cybersecurity researchers, at the moment, is that the risks associated with artificial intelligence browsers far outweigh their convenience, especially for users dealing with sensitive personal and professional information. 

With the acceleration of the AI browser revolution, it is now crucial to strike a balance between innovation and accountability. Despite the promise of seamless digital assistance and a hyper-personalised browsing experience through tools such as Atlas and Comet, they must be accompanied by robust ethical frameworks, transparent data governance, and stronger security standards to make progress.

A lot of experts stress that the real progress will depend on the way this technology evolves responsibly - prioritising user consent, privacy, and control over convenience for the end user. In the meantime, users and developers alike should not approach AI browsers with fear, but with informed caution and an insistence that trust is built into the browser as a default state.
Read more »
Subscribe to: Comments (Atom)