Prompt Injection Risks in Agentic AI and AI-Powered Browsers
Security researchers reported that prompt injection is enabling practical attacks against agentic AI systems that have access to tools and user data, and argued the industry is underestimating the threat. A proposed framing, “promptware,” describes malicious prompts as a malware-like execution mechanism that can drive an LLM to take actions via its connected tools—potentially leading to data exfiltration, cross-system propagation, IoT manipulation, or even arbitrary code execution, depending on the permissions and integrations available.
Trail of Bits disclosed results from an adversarial security assessment of Perplexity’s Comet browser, showing how prompt injection techniques could be used to extract private information from authenticated sessions (e.g., Gmail) by abusing the browser’s AI assistant and its tool access (such as reading page content, using browsing history, and interacting with the browser). Their threat-model-driven testing emphasized that agentic assistants can treat external web content as instructions unless it is explicitly handled as untrusted input, and they published recommendations intended to reduce prompt-injection-driven data paths between the user’s local trust zone (profiles/cookies/history) and vendor-hosted agent/chat services.
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Prompt Injection Attacks Abuse AI Agent Memory and Link Previews for Manipulation and Data Exfiltration
Security researchers reported multiple **prompt-injection-driven attack paths** that exploit how AI assistants and agentic systems process untrusted content. Microsoft researchers described **AI recommendation/memory poisoning** (mapped in MITRE ATLAS as **`AML.T0080: Memory Poisoning`**) in which attackers insert instructions that cause an assistant to persistently “remember” certain companies, sites, or services as trusted or preferred, shaping future recommendations in later, unrelated conversations. Observed activity over a 60-day period included **50 distinct prompt samples** tied to **31 organizations across 14 industries**, with potential downstream impact in high-stakes domains like health, finance, and security where manipulated recommendations can mislead users without obvious signs of tampering. A separate finding highlighted how **AI agents embedded in messaging apps** can be coerced into leaking secrets via **malicious link previews**. PromptArmor demonstrated that an attacker can use chat-based prompt injection to trick an AI agent into generating an attacker-controlled URL that includes sensitive data (e.g., API keys) as parameters; when messaging platforms (e.g., Slack/Telegram) automatically fetch **link preview** metadata, the preview request can become a **zero-click exfiltration channel**—no user needs to click the link for the data-bearing request to be sent. Together, the reports underscore that agent features intended to improve usability—*persistent memory*, URL-based prompt prepopulation (e.g., “Summarize with AI” buttons), and automatic preview fetching—can be repurposed into scalable manipulation and data-loss mechanisms when untrusted prompts are processed implicitly.
1 months agoPrompt Injection and Browser-Based AI Security Risks
The launch of ChatGPT Atlas, an AI-powered web browser with agentic capabilities, has raised significant concerns about prompt injection attacks. As browsers become more integrated with large language models (LLMs), attackers can exploit both direct and indirect prompt injection techniques to manipulate AI agents, potentially causing them to divulge sensitive information or perform unintended actions. The accessibility of such agentic browsers, combined with their ability to automate complex tasks, amplifies the risk landscape for organizations adopting these technologies. Security experts warn that the browser now represents a critical control point for AI security, as it serves as the main interface between users and generative AI systems. The rapid increase in GenAI browser traffic has led to a surge in data security incidents, including inadvertent exposure of confidential information through LLM prompts. Traditional network security measures are often insufficient to address these browser-borne threats, making it imperative for organizations to reassess their security strategies and implement controls specifically designed to mitigate risks associated with AI-powered browsers and prompt injection attacks.
3 months agoPrompt Injection and Persistent Memory Exploits in AI-Powered Browsers
Researchers have identified critical security vulnerabilities in several AI-powered browsers, including OpenAI's Atlas and other emerging platforms such as Comet and Fellou. These browsers, which allow AI agents to perform actions on behalf of users, are susceptible to prompt injection attacks—where hidden or malicious instructions embedded in web content are executed by the AI. In documented cases, attackers were able to hide commands in web pages or images, leading the browser to perform unauthorized actions such as extracting email subject lines and exfiltrating data to attacker-controlled sites, all without user confirmation. A particularly severe exploit targets the persistent memory feature of the ChatGPT Atlas browser, introduced by OpenAI to personalize user experiences. By chaining a cross-site request forgery (CSRF) vulnerability with a memory write, attackers can inject malicious instructions that persist across sessions, devices, and even different browsers. This allows for ongoing compromise, including privilege escalation, malware deployment, and account takeover, unless users manually clear the tainted memory. The persistence and stealth of these attacks significantly elevate the risk profile for users of AI-enabled browsers, highlighting the urgent need for robust security controls and user awareness around prompt injection threats.
4 months ago