Google Chrome Security Enhancements Against Account Takeover and Prompt Injection Threats
Google has introduced new layered security defenses in Chrome to address the growing risks of indirect prompt injection attacks and account takeovers, particularly as the browser integrates more agentic AI capabilities. Key features include the User Alignment Critic, which independently evaluates and vetoes potentially malicious actions by Chrome's AI agent, and Agent Origin Sets, which restrict the agent's data access to only relevant or user-approved sources. These measures are designed to prevent attackers from exploiting untrusted web content to hijack user sessions or exfiltrate sensitive data, and to mitigate site isolation bypasses that could compromise user privacy and security.
In parallel, Google has acknowledged a surge in account takeover incidents targeting Chrome users, where attackers steal credentials, authentication codes, and session cookies to access synchronized data stored in the cloud. The company is urging users to strengthen their authentication methods and reconsider the use of browser-based password managers, as a single compromised account can expose a wide range of personal information. Google is also rolling out additional protections for Workspace accounts to counteract these threats and safeguard user data across its ecosystem.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Google adds layered Chrome defenses against AI prompt injection
Google introduced new Chrome security measures to mitigate indirect prompt injection risks in agentic AI features, including User Alignment Critic, Agent Origin Sets, transparency controls, approval gates for sensitive actions, and a prompt-injection classifier. Google also said it would offer rewards of up to $20,000 for demonstrated security boundary breaches.
Google warns of rising Chrome account takeover risk
Google confirmed a rise in account takeover activity affecting Chrome users and advised users to review their Chrome settings. The report indicates Google publicly acknowledged the threat by the time the coverage was published.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Gemini AI Agent Enhanced to Counter Prompt Injection Attacks
Google has acknowledged the significant risk of prompt injection attacks targeting its Gemini-powered Chrome browsing agent, which can be manipulated to perform unauthorized actions such as initiating financial transactions or exfiltrating sensitive data. In response, Google has introduced a second AI model, termed the 'user alignment critic,' designed to independently vet the agent's proposed actions before execution. This model operates in isolation from untrusted web content, providing an additional layer of defense against both goal hijacking and data leakage. The move comes as prompt injection has been identified as a leading vulnerability in AI systems, with industry bodies like OWASP and the UK's National Cyber Security Centre highlighting its prevalence and difficulty to mitigate due to the structural limitations of large language models. The Gemini-powered browsing agent, currently in preview, is capable of navigating websites, clicking buttons, and filling forms while users are logged into sensitive accounts, increasing the potential impact of successful attacks. Security experts and analysts have emphasized the need for robust safeguards, as malicious instructions can be hidden in web pages, iframes, or user-generated content. Google's dual-model approach aims to address these concerns by ensuring that any action not aligned with the user's intent is blocked, thereby reducing the risk of exploitation through prompt injection. The development reflects a broader industry trend of reassessing the security of AI-driven browsers and the need for advanced countermeasures to protect users and organizations from emerging threats.
Mar 21, 2026
Google Chrome Rolls Out Device-Bound Session Credentials to Block Cookie Theft
Google has made **Device Bound Session Credentials (DBSC)** generally available in Chrome, rolling it out for Google Workspace customers, Workspace Individual subscribers, and personal Google accounts to blunt account takeovers driven by stolen session cookies. The feature cryptographically binds a session cookie to the device where authentication occurred, using hardware-backed protections such as the **Trusted Platform Module** on Windows and **Secure Enclave** support on macOS, so exfiltrated cookies cannot be replayed on another machine to bypass MFA. Google said DBSC is enabled by default for Workspace customers, integrates with **Context-Aware Access** for device-aware policy decisions, and exposes binding events in audit logs to help administrators monitor session integrity. The move follows sustained abuse of stolen Google authentication artifacts by infostealers and adversaries leveraging mechanisms such as the undocumented OAuth **MultiLogin** API, with operators tied to **Lumma** and **Rhadamanthys** claiming they could restore expired cookies. At the same time, researchers at Phishu disclosed **VaultJacking**, a phishing technique that can steal an entire Google Password Manager vault after capturing a victim’s 6-digit PIN, then registering an attacker-controlled device to sync passwords and passkeys without malware or prior device compromise. Phishu said the attack sidesteps DBSC because it does not rely on replaying stolen cookies, underscoring that Google’s new protection sharply reduces pass-the-cookie risk but does not stop credential- and PIN-based phishing against synced account data.
Jun 2, 2026
Malicious and High-Risk AI-Powered Chrome Extensions Enable Account Hijacking and Phishing
Security researchers reported multiple risks tied to **AI-themed browser extensions** in the Chrome/Edge ecosystem, including active malicious campaigns. Malwarebytes identified **16 malicious extensions** (15 Chrome, 1 Edge) masquerading as ChatGPT “enhancers” that **steal ChatGPT session tokens**, enabling attackers to take over accounts and access conversation history and metadata; the extensions also exfiltrate additional telemetry (e.g., extension version/language and usage details) to help attackers profile victims and maintain longer-term access. Separately, Varonis described a new **malware-as-a-service** offering called **“Stanley”** that claims to reliably get **phishing-capable Chrome extensions** through Chrome Web Store review, using full-screen `iframe` overlays to present attacker-controlled login pages while the address bar continues to show the legitimate domain; it also advertises auto-install support across Chrome/Edge/Brave, a management panel, geo/IP targeting, and frequent C2 polling. In parallel with these overtly malicious cases, an Incogni study of **442 AI-powered Chrome extensions** found broad privacy and security exposure from over-privileged extensions (e.g., script injection and deep page access) and extensive data collection (52% collecting user data), highlighting that even popular tools (e.g., **Grammarly** and **QuillBot**) can present significant privacy risk due to the scope of permissions and data categories collected.
Mar 21, 2026