Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 6 December 2025 19:25
Researchers at Striker STAR Labs have described a new agent-based browser attack that can turn a regular email into a near-complete wiper of your Google Drive inbox.
The attack targets Comet , an AI-powered browser from Perplexity that can automatically manage a user’s email and cloud.
The technique, called Google Drive Wiper, is a ” zero-click ” attack: the user doesn’t have to click on a malicious link or open an attachment. It works by connecting the browser to Gmail and Google Drive via OAuth. The user grants the agent one-time permission to read emails, view files, and perform actions on them , such as moving, renaming, or deleting them. The agent can then perform these actions automatically in response to text requests.
A simple and harmless request might be: ” Check my email and complete any recent cleanup tasks .” The agent analyzes the emails, finds relevant messages, and follows the instructions. The problem is that the attacker can pre-send the victim a specially crafted email, freely describing the Google Drive “cleanup” task : sorting files, deleting items with certain extensions or anything outside of folders, and then “inspecting the results.”
The agent perceives this email as routine and obediently follows the instructions. As a result, real user files on Google Drive are sent to the trash without further human confirmation. ” The result is the agent’s browser automatically transforming into a wiper and mass-transferring critical data to the trash with a single natural language request ,” notes security researcher Amanda Russo. According to her, once the agent has gained OAuth access to Gmail and Google Drive , the malicious instructions can quickly spread across shared folders and command-line accounts.
It’s particularly significant that this attack doesn’t rely on jailbreaking or traditional prompt injection. The attacker simply needs to be polite, provide coherent instructions, and phrase requests like ” handle this,” ” take care of this,” or ” do this for me ,” effectively handing over control to the agent. The researchers emphasize that the tone and structure of the text can subtly push a language model toward dangerous actions, even if it formally adheres to security policies.
To mitigate risk, protecting the model itself isn’t enough. You need to consider the entire chain: the agent, its connections to external services, and the natural language instructions it’s authorized to execute automatically . Otherwise, every polite, well-formed email from an unknown sender becomes a potential trigger for a zero-click attack on your data.
Meanwhile, Cato Networks has demonstrated another technique for attacking AI-powered browsers, called HashJack . In this scenario, a malicious prompt is hidden in a URL fragment after the “#” symbol , such as www.example[.]com/home# . This address can be sent via email, instant messaging, social media, or embedded in a web page. Once the victim opens the website and asks the AI-powered browser a “smart” question about the page’s content, the agent reads the hidden fragment and executes the instructions it contains.
” HashJack is the first known indirect prompt injection attack that allows any legitimate website to secretly control an AI assistant in a browser ,” explains researcher Vitaly Simonovich. The user sees a legitimate address and trusts it, while the malicious instructions are hidden in a typically overlooked part of the URL.
Following the responsible disclosure, Google assigned the issue a low priority and the status “will not fix (intended behavior) “—the behavior is considered expected. Meanwhile, Perplexity and Microsoft have released patches for their AI browsers, specifying specific versions of Comet v142.0.7444.60 and Edge 142.0.3595.94. According to the researchers, the Claude browser for Chrome and OpenAI Atlas are not vulnerable to HashJack.
The authors of the paper specifically emphasize that Google’s AI Vulnerability Reward program does not consider content generation policy violations and security guardrail bypasses to be full-fledged security vulnerabilities . In practice, this means that an entire category of attacks on AI agents remains at the intersection of security and the “expected behavior” of systems that increasingly access real-world user data and services.
Redazione