Warning—AI browsers can wipe Google Drive files or leak data via hacker-crafted emails and URLs.
Lars Daniel covers digital evidence and forensics in life and law.A polite email asking an AI browser to “organize your Drive” can silently wipe your files. No phishing link or suspicious attachment required.
Just a friendly request that turns an automated assistant into a destructive tool.that Perplexity’s Comet browser, an AI-powered browser that automates email and cloud storage tasks, can be manipulated into mass-deleting Google Drive files through what she calls a “zero-click Google Drive Wiper” attack. The technique exploits how AI browser agents interpret instructions. When a user tells Comet to “check my email and complete all my recent organization tasks,” the browser scans the inbox and follows whatever it finds. An attacker can send an email with polite, step-by-step instructions—organize the Drive, delete loose files, review changes—that the agent treats as legitimate housekeeping and executes without further confirmation. “The result: a browser-agent-driven wiper that moves critical content to trash at scale, triggered by one natural-language request from the user,” Rousseau wrote in the. “Once an agent has OAuth access to Gmail and Google Drive, abused instructions can propagate quickly across shared folders and team drives.” What makes this attack effective is its tone. The attacker email uses phrases like “take care of,” “handle this,” and “do this on my behalf,” shifting ownership to the agent and nudging it toward compliance. Rousseau found that polite, sequential instructions reduce pushback from the AI model, which treats the workflow as routine productivity work rather than a potential threat. The attack doesn’t rely on jailbreak techniques or traditional prompt injection. Instead, it succeeds by being nice., a technique that hides malicious prompts in the fragment portion of legitimate URLs—specifically, the text after the “#” symbol. When AI browsers process these URLs and users ask questions, the hidden instructions feed directly into the AI assistant’s responses.Security researcher Vitaly Simonovich, who led the Cato Networks research, found that HashJack can manipulate Perplexity’s Comet, Microsoft’s Copilot for Edge, and Google’s Gemini for Chrome. The attacks range from inserting fake callback numbers to exfiltrating user data in the background. “HashJack is the first known indirect prompt injection that can weaponize any legitimate website to manipulate AI browser assistants,” Simonovich said. “Because the malicious fragment is embedded in a real website’s URL, users assume the content is safe while hidden instructions secretly manipulate the AI browser assistant.” URL fragments never reach web servers or appear in network logs, making them invisible to traditional security tools. In Comet’s case, the browser can automatically fetch attacker-controlled URLs with user data appended as parameters, sending account names, transaction history, and email addresses to external servers without user interaction. Microsoft and Perplexity responded to the HashJack disclosure with patches. Microsoft applied a fix to Copilot for Edge on October 27, and Perplexity patched Comet by November 18. Google classified the issue as “won’t fix” and assigned it low severity, according to Cato Networks’ disclosure timeline. Google does not treat guardrail bypasses or policy-violating content generation as security vulnerabilities under its AI Vulnerability Reward Program, a company spokesperson confirmed. Both research findings underscore a broader risk. AI browser agents operate on trust: trust that emails are benign, trust that URLs are safe, trust that natural language instructions align with user intent. That trust becomes a vulnerability when attackers craft inputs designed to exploit how these systems interpret context. “Don’t just secure the model,” Rousseau concluded in the Straiker blog. “Secure the agent, its connectors, and the natural-language instructions it quietly obeys.” As enterprises deploy AI copilots across email, cloud storage, and browsers, the lesson is urgent. Automation without guardrails can turn helpful assistants into silent saboteurs.
Perplexity Comet Vulnerability Google Drive Wiper Attack Prompt Injection AI Browser Assistants Zero-Click Attack Hashjack Vulnerability AI Copilot Risks Browser Automation Security AI Agent Manipulation
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Councilmember Bob Blumenfield’s holiday drive collects toys and clothes for those in needCouncilmember Bob Blumenfield said, “I extend my heartfelt thanks to all who donated toys and other items to those in need.”
Read more »
Used Clothing Drive Volunteer EventWelcome to the beautiful life
Read more »
Snow returns, so do avalanche dangers, traffic restrictionsCLICK HERE to reach out to Julia with any story ideas or news tips.
Read more »
Texas Tech community returns favor of support for BYU fans facing heartbreaking tragedyCLICK HERE to reach out to Jeremy with any story ideas or news tips.
Read more »
'Silent Santa' event creates magical moments for familiesCLICK HERE to reach out to Averie with any story ideas or news tips.
Read more »
Community remembers Green River mayor after fatal crashCLICK HERE to reach out to Caroleina with any story ideas or news tips.
Read more »