Do you recall the time when clicking on a dubious advertisement was your biggest browser concern? Brave, a browser firm, has revealed a flaw in Perplexity’s Comet browser that security experts are referring to as the “Lethal Trifecta”: when AI can interact externally (send messages), access private data (your accounts), and access untrusted data (websites).
Here’s what happened
- Researchers found that they could conceal harmful instructions in ordinary web material, such as invisible text on webpages or comments on Reddit.
- Like a sleeper agent triggered by a code word, the AI would carry out these concealed directives when users clicked “Summarize this page.”
- Following the concealed instructions, the AI did the following:
Go to the user’s Perplexity account and obtain their email address.
Get a unique password by initiating a password reset.
Visit Gmail to see that password.
Send both the email and the password to the attacker via a Reddit comment.
The game is over. The account has been taken over.
Researchers found that dangerous instructions might be concealed in ordinary web material, such as comments on Reddit or even invisible text on websites.
This is what makes this extra spicy.
In reality, this “bug” represents a basic weakness in AI. According to one security researcher, “To an LLM, everything is just text.” Therefore, the AI in your browser is literally unable to distinguish between your request to “summarize this page” and the concealed content that reads, “steal my banking credentials.” Both of them are merely words.
The Hacker News community is split on this. Some claim that this renders AI browsers inherently insecure, similar to creating a lock that cannot differentiate between a key and a crowbar. Others believe we simply need improved safeguards, such as demanding user approval for sensitive activities or operating AI in separate sandboxes.
Why this is important
We are witnessing a clash between the “move fast and break things” mindset of Silicon Valley and the fact that “things” now include an agent with access to your bank account. This vulnerability exists in all AI browsers with these features, which is an unwelcome reality. Why do you think OpenAI now only provides ChatGPT Agent via a cloud instance that is sandboxed?
Even if Perplexity fixed this particular assault, the fundamental issue still exists: How can one create an AI assistant that is both beneficial and invulnerable?
Brave recommends a few fixes
User instructions are clearly separated from the website content.
User confirmation is required for sensitive activities.
Isolating AI browsing from traditional browsing.
Until we figure all of things out, perhaps keep your AI browser away from your financial tabs.
