CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

AI Sidebar Spoofing Vulnerability in Atlas and Comet Browsers

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Researchers from NeuralTrust have discovered a vulnerability in the OpenAI Atlas browser that allows for jailbreaking through the omnibox. This vulnerability can trick users into following malicious instructions, leading to potential data breaches and unauthorized actions. The attack works by disguising a prompt instruction as a URL, which is then treated as a trusted user intent. This can override user intent, trigger cross-domain actions, and bypass safety layers. The vulnerability affects the latest versions of the Atlas browser. Researchers demonstrated two realistic attack scenarios: a copy-link trap to phish credentials and destructive instructions to delete files. The attack requires only 'host' and 'storage' permissions, which are common for productivity tools. Users are advised to be cautious when using these browsers for sensitive activities and to restrict their use to non-sensitive tasks until further security measures are implemented. Earlier, researchers from SquareX discovered a similar vulnerability in OpenAI's Atlas and Perplexity's Comet browsers that allows for AI Sidebar Spoofing. This attack can trick users into following malicious instructions, leading to potential data breaches and unauthorized actions. The vulnerability affects the latest versions of both browsers and requires only 'host' and 'storage' permissions. Users are advised to be cautious and restrict the use of these browsers to non-sensitive activities.

Timeline

  1. 27.10.2025 09:29 1 articles · 23h ago

    Atlas Omnibox Jailbreak Vulnerability Details and Mitigation Efforts

    The attack can be used to navigate to malicious websites, run data exfiltration commands, and install backdoors for persistent remote access. The attack can be initiated by entering a prompt into a spoofed sidebar, causing the extension to hook into its AI engine and return malicious instructions when certain 'trigger prompts' are detected. The attack can be used to trick users into navigating to malicious websites, running data exfiltration commands, and installing backdoors. The attack can be used to hide malicious instructions in images using faint text on a background, which is then processed by the browser via optical character recognition (OCR). The attack can be used to bias the agent's opinion while shopping or to fetch and leak private data, such as sensitive information from email or credentials. The attack can be used to hide prompt injection instructions in websites, emails, or other sources to trick the agent into behaving in unintended ways. The attack can be used to manipulate the AI's underlying decision-making process to turn the agent against the user. The attack can be used to hide prompt injection instructions in images using faint text on a background, which is then processed by the browser via optical character recognition (OCR). The article also discusses the steps being taken to address the vulnerability, including the implementation of additional guardrails and safety measures to detect and block such attacks.

    Show sources
    Open in new tab
  2. 25.10.2025 14:35 2 articles · 2d ago

    Atlas Omnibox Jailbreak Vulnerability Discovered

    The attack works by disguising a prompt instruction as a URL, which is then treated as a trusted user intent. This can override user intent, trigger cross-domain actions, and bypass safety layers. The vulnerability affects the latest versions of the Atlas browser. Researchers demonstrated two realistic attack scenarios: a copy-link trap to phish credentials and destructive instructions to delete files. The attack requires only 'host' and 'storage' permissions, which are common for productivity tools. The disguised prompt can cause the browser to treat the input as a prompt to the AI agent, executing embedded instructions and redirecting the user to an attacker-controlled website. The attack can be initiated by placing a crafted 'URL' string behind a 'Copy link' button, leading users to phishing pages or executing hidden commands to delete files from connected apps like Google Drive. The attack exploits the browser's lack of strict boundaries between trusted user input and untrusted content, allowing malicious instructions to be embedded in URLs.

    Show sources
    Open in new tab
  3. 23.10.2025 17:09 1 articles · 4d ago

    AI Sidebar Spoofing Vulnerability Discovered in Atlas and Comet Browsers

    Researchers from SquareX discovered a vulnerability in OpenAI's Atlas and Perplexity's Comet browsers that allows for AI Sidebar Spoofing. This attack can trick users into following malicious instructions, leading to potential data breaches and unauthorized actions. The vulnerability affects the latest versions of both browsers and requires only 'host' and 'storage' permissions. Users are advised to be cautious and restrict the use of these browsers to non-sensitive activities.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CometJacking attack exploits Comet browser to steal emails

A new attack called CometJacking exploits URL parameters to pass hidden instructions to Perplexity's Comet AI browser, allowing access to sensitive data from connected services like email and calendar. The attack does not require credentials or user interaction and bypasses Perplexity's data protections using Base64-encoding tricks. Comet is an agentic AI browser that can autonomously browse the web and manage tasks such as emails, shopping, and booking tickets. Despite known security gaps, its adoption is increasing. The CometJacking attack was discovered by LayerX researchers, who reported it to Perplexity in late August. Perplexity responded that it did not identify an issue, marking the report as 'not applicable.' The attack involves a five-step process where the URL instructs the Comet browser's AI to execute a hidden prompt, highlighting new security risks introduced by AI-native tools.

Open in new tab

AI systems vulnerable to data-theft via hidden prompts in downscaled images

AI systems remain vulnerable to data-theft via hidden prompts in downscaled images. Researchers from Trail of Bits have demonstrated a novel attack vector that exploits AI systems by embedding hidden prompts in images. These prompts become visible when images are downscaled, enabling data theft or unauthorized actions. The attack leverages image resampling algorithms to reveal hidden instructions, which are then executed by the AI model. The vulnerability affects multiple AI systems, including Google Gemini CLI, Vertex AI Studio, Google Assistant on Android, and Genspark. The attack works by crafting images with specific patterns that emerge during downscaling. These patterns contain instructions that the AI model interprets as part of the user's input, leading to potential data leakage or other malicious activities. The researchers have developed an open-source tool, Anamorpher, to create images for testing and demonstrating the attack. To mitigate the risk, Trail of Bits recommends implementing dimension restrictions on image uploads, providing users with previews of downscaled images, and seeking explicit user confirmation for sensitive tool calls.

Open in new tab

ChatGPT downgrade attack via prompt manipulation

A new technique called PROMISQROUTE allows attackers to downgrade ChatGPT to less secure models by manipulating prompts. This technique exploits ChatGPT's routing mechanism, which directs prompts to different models based on complexity and task type. The downgraded models are more susceptible to jailbreak attacks, posing a security risk. The vulnerability arises because ChatGPT uses a routing layer to direct prompts to appropriate models, including older, less secure versions. Attackers can influence this routing by adding specific phrases or keywords to their prompts, tricking the system into using less secure models. The impact of this attack includes the potential for malicious actors to bypass security measures and exploit vulnerabilities in older models. OpenAI has acknowledged the issue but has not provided a detailed solution.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

The FileFix social engineering attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Previously, threat actors tracked as UNC5518 leveraged a social engineering tactic called ClickFix to deploy the CORNFLAKE.V3 backdoor. The campaign used fake CAPTCHA pages to trick users into executing malicious PowerShell scripts, providing initial access to systems. This access was then monetized by other threat groups, including UNC5774 and UNC4108, which deployed additional payloads. The attack began with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users were then tricked into running a malicious PowerShell command, which downloaded and executed the CORNFLAKE.V3 backdoor. This backdoor supported various payload types and could collect system information, which was transmitted via Cloudflare tunnels to evade detection. CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, featuring host persistence and additional payload support. The campaign also involved the deployment of WINDYTWIST.SEA, a backdoor that supports lateral movement within infected networks.

Open in new tab

Clickjacking vulnerabilities in major password managers

Six major password managers are vulnerable to clickjacking attacks that can leak account credentials, 2FA codes, and credit card details. The flaws were presented at DEF CON 33 and verified by Socket. Attackers exploit these vulnerabilities by overlaying invisible HTML elements over the password manager interface, tricking users into leaking sensitive information. The affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. The vulnerabilities can be exploited when users visit malicious pages or websites vulnerable to XSS or cache poisoning. Some vendors have acknowledged the issues and are working on fixes, while others have downplayed the severity or not responded. Bitwarden has released a patch, and users are advised to disable the autofill function and use copy/paste until fixes are available.

Open in new tab