- Zenity researchers uncovered PleaseFix, a zero-click indirect prompt injection flaw in Comet browser
- Malicious calendar invites could trick the AI into exfiltrating passwords and sensitive files without user awareness
- Bug patched with restrictions on file:// access, preventing agents from reading local filesystem
Perplexity’s AI-powered Comet web browser is vulnerable to indirect prompt injection attacks, which threat actors can exploit to exfiltrate sensitive data such as passwords, experts have warned.
Security researchers Zenity dubbed the flaw PleaseFix, and demonstrated different ways in which it might be abused.
In a technical blog, Zenity explained that PleaseFix was a zero-click vulnerability, meaning it did not require the victim to run a malicious command or a program. All the victim needs to do is go about their day as they would normally do.
Zero-click
At the heart of the problem is the fact that AI agents cannot distinguish between data and instruction. If the user instructs the AI to read a certain data set and act on it, and if that data set contains a prompt of its own, the agent will execute it without alerting the victim.
In practice, as Zenity showed, it works like this: A malicious actor can send a calendar invite to their target which, by all accounts can look authentic and benign. The calendar entry can be anything, from a regular call, to a job interview. If the victim adds the invite to their calendar, and later asks Comet to summarize it, or help prepare for it, the AI agent will execute that command, even if the calendar entry has a prompt of its own.
In this scenario, the calendar entry contained a prompt to scour through the victim’s files, look for documents named “passwords” or similar, and exfiltrate whatever information is found. An alternate scenario shows how the same tactic can be used to exfiltrate passwords stored in a password manager.
The worst part about the attack is that the victim is oblivious. Everything happens in the background, and while the victim reads the AI-generated summary, as they would have expected, in the background the AI turned into a malicious insider and worked for the attacker.
Zenity said the bug was fixed following responsible disclosure.
“The fix includes a new hard boundary deterministically limiting the browser’s ability to autonomously access file:// paths,” the researchers explained.
“This means that while the user will still be able to access these paths the agent is restricted from doing so. No matter the prompt or the situation, the agent wouldn’t be able to navigate or operate in URLs starting with file:// and access the user’s local filesystem.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/Gu8XfetHGhnHJKVFvvXgm7-1920-80.png
Source link
