CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Google Enhances Chrome Agentic AI Security Against Indirect Prompt Injection Attacks

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Google is introducing new security measures to protect Chrome's agentic AI capabilities from indirect prompt injection attacks. These protections include a new AI model called the User Alignment Critic, expanded site isolation policies, additional user confirmation steps for sensitive actions, and a prompt injection detection classifier. The User Alignment Critic independently evaluates the agent's actions, ensuring they align with the user's goals. Google is also enforcing Agent Origin Sets to limit the agent's access to relevant data origins and has developed automated red-teaming systems to test defenses. The company has announced bounty payments for security researchers to further enhance the system's robustness.

Timeline

  1. 08.12.2025 20:00 3 articles · 1d ago

    Google Introduces User Alignment Critic and Expanded Site Isolation for Chrome Agentic AI

    Google is implementing new security measures to protect Chrome's agentic AI capabilities from indirect prompt injection attacks. These measures include the User Alignment Critic, which vets the agent's actions to prevent goal-hijacking and data exfiltration. The User Alignment Critic runs after the planning is complete to double-check each proposed action and provides feedback to the planning model to re-formulate its plan if an action is misaligned. Additionally, Google is expanding site isolation policies with Agent Origin Sets to limit the agent's access to relevant data origins. The agent also requires user confirmation before performing sensitive actions, such as navigating to sensitive sites or completing transactions. The new security architecture involves a layered defense approach combining deterministic rules, model-level protections, isolation boundaries, and user oversight. Google has developed automated red-teaming systems to test defenses and announced bounty payments for security researchers to identify vulnerabilities in the new system.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Emerging Security Risks of Agentic AI Browsers

A new generation of AI browsers, known as agentic browsers, is transitioning from passive tools to autonomous agents capable of executing tasks on behalf of users. This shift introduces significant security risks, including increased attack surfaces and vulnerabilities to prompt injection attacks. Security teams must adapt their strategies to mitigate these risks as the adoption of AI browsers grows.

Open in new tab

Indirect Prompt Injection Vulnerabilities in ChatGPT Models

Researchers from Tenable discovered seven vulnerabilities in OpenAI's ChatGPT models (GPT-4o and GPT-5) that enable attackers to extract personal information from users' memories and chat histories. These vulnerabilities allow for indirect prompt injection attacks, which manipulate the AI's behavior to execute unintended or malicious actions. OpenAI has addressed some of these issues, but several vulnerabilities persist. The vulnerabilities include indirect prompt injection via trusted sites, zero-click indirect prompt injection in search contexts, and prompt injection via crafted links. Other techniques involve bypassing safety mechanisms, injecting malicious content into conversations, hiding malicious prompts, and poisoning user memories. The vulnerabilities affect the 'bio' feature, which allows ChatGPT to remember user details and preferences across chat sessions, and the 'open_url' command-line function, which leverages SearchGPT to access and render website content. Attackers can exploit the 'url_safe' endpoint by using Bing click-tracking URLs to lure users to phishing sites or exfiltrate user data. These findings highlight the risks associated with exposing AI chatbots to external tools and systems, which expand the attack surface for threat actors. The vulnerabilities stem from how ChatGPT ingests and processes instructions from external sources, allowing attackers to exploit these flaws through various methods. The most concerning issue is a zero-click vulnerability, where simply asking ChatGPT a benign question can trigger an attack if the search results include a poisoned website.

Open in new tab

AI-targeted cloaking attack exploits AI crawlers

AI security company SPLX has identified a new security issue in agentic web browsers like OpenAI ChatGPT Atlas and Perplexity. This issue exposes underlying AI models to context poisoning attacks through AI-targeted cloaking. Attackers can serve different content to AI crawlers compared to human users, manipulating AI-generated summaries and overviews. This technique can introduce misinformation, bias, and influence the outcomes of AI-driven systems. The hCaptcha Threat Analysis Group (hTAG) has also analyzed browser agents against common abuse scenarios, revealing that these agents often execute risky tasks without safeguards. This makes them vulnerable to misuse by attackers. The attack can undermine trust in AI tools and manipulate reality by serving deceptive content to AI crawlers.

Open in new tab

Security Weaknesses Identified in AI Browsers

Security researchers at SquareX Labs have identified architectural security weaknesses in AI browsers, including Perplexity’s Comet. AI browsers integrate AI assistants to automate user tasks, but this integration introduces new cyber risks. These risks include malicious workflows, prompt injection, malicious downloads, and misuse of trusted apps. The research highlights the need for stronger safeguards as AI capabilities become standard in web browsing.

Open in new tab

Google Gemini AI Vulnerabilities Allowing Prompt Injection and Data Exfiltration

Researchers disclosed three vulnerabilities in Google's Gemini AI assistant that could have exposed users to privacy risks and data theft. The flaws, collectively named the Gemini Trifecta, affected Gemini Cloud Assist, the Search Personalization Model, and the Browsing Tool. These vulnerabilities allowed for prompt injection attacks, search-injection attacks, and data exfiltration. Google has since patched the issues and implemented additional security measures. The vulnerabilities could have been exploited to inject malicious prompts, manipulate AI behavior, and exfiltrate user data. The flaws highlight the potential risks of AI tools being used as attack vectors rather than just targets. The Gemini Search Personalization model's flaw allowed attackers to manipulate AI behavior and leak user data by injecting malicious search queries via JavaScript from a malicious website. The Gemini Cloud Assist flaw allowed attackers to execute instructions via prompt injections hidden in log content, potentially compromising cloud resources and enabling phishing attacks. The Gemini Browsing Tool flaw allowed attackers to exfiltrate a user's saved information and location data by exploiting the tool's 'Show thinking' feature. Google has made specific changes to mitigate each flaw, including rolling back vulnerable models, hardening search personalization features, and preventing data exfiltration from browsing in indirect prompt injections.

Open in new tab