CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

AI Browsers Vulnerable to PromptFix Exploit for Malicious Prompts

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

AI-driven browsers are vulnerable to a new prompt injection technique called PromptFix, which tricks them into executing malicious actions. The exploit embeds harmful instructions within fake CAPTCHA checks on web pages, leading AI browsers to interact with phishing sites or fraudulent storefronts without user intervention. This vulnerability affects AI browsers like Perplexity's Comet, which can be manipulated into performing actions such as purchasing items on fake websites or entering credentials on phishing pages. Researchers have demonstrated that AI browsers can be tricked into phishing scams in under four minutes by exploiting agentic blabbering. The attack leverages the AI browser's tendency to reason its actions and use it against the model to lower security guardrails. By intercepting traffic between the browser and AI services and feeding it to a Generative Adversarial Network (GAN), researchers made Perplexity's Comet AI browser fall victim to a phishing scam. The technique builds on prior methods like VibeScamming and Scamlexity, which exploit hidden prompt injections to carry out malicious actions. The attack involves building a 'scamming machine' that iteratively optimizes and regenerates a phishing page until the AI browser stops complaining and proceeds with the threat actor's actions. Once a fraudster iterates on a web page until it works against a specific AI browser, it works on all users relying on the same agent. The disclosure comes as Trail of Bits demonstrated four prompt injection techniques against the Comet browser to extract users' private information. Zenity Labs detailed two zero-click attacks affecting Perplexity's Comet, using indirect prompt injection to exfiltrate local files or hijack a user's 1Password account. Prompt injection attacks remain a fundamental security challenge for large language models (LLMs) and their integration into organizational workflows. OpenAI noted that prompt injection vulnerabilities in agentic browsers are unlikely to be fully resolved, but risks can be reduced through automated attack discovery and adversarial training.

Timeline

  1. 20.08.2025 16:01 4 articles · 6mo ago

    PromptFix Exploit Demonstrated on AI-Driven Browsers

    Researchers have demonstrated a new prompt injection technique called PromptFix that tricks AI-driven browsers into executing malicious actions. The exploit embeds harmful instructions within fake CAPTCHA checks on web pages, leading AI browsers to interact with phishing sites or fraudulent storefronts without user intervention. The technique affects AI browsers like Perplexity's Comet and can be triggered by simple instructions, resulting in automated actions on fake websites. The exploit leverages the AI's design goal of assisting users quickly and without hesitation, leading to a new form of scam called Scamlexity. This involves AI systems autonomously pursuing goals and making decisions with minimal human supervision, increasing the complexity and invisibility of scams. The exploit can result in drive-by download attacks, where malicious payloads are downloaded without user involvement. AI systems need robust guardrails for phishing detection, URL reputation checks, domain spoofing, and malicious file detection. Guardio's tests revealed that agentic AI browsers are vulnerable to phishing, prompt injection, and purchasing from fake shops. Comet was directed to a fake shop and completed a purchase without human confirmation. Comet also treated a fake Wells Fargo email as genuine and entered credentials on a phishing page. Additionally, Comet interpreted hidden instructions in a fake CAPTCHA page, triggering a malicious file download. AI firms are integrating AI functionality into browsers, allowing software agents to automate workflows, but enterprise security teams need to balance automation's benefits with the risks posed by the fact that artificial intelligence lacks security awareness. Security has largely been put on the back burner, and AI browser agents from major AI firms failed to reliably detect the signs of a phishing site. Nearly all companies plan to expand their use of AI agents in the next year, but most are not prepared for the new risks posed by AI agents in a business environment. Researchers have demonstrated that AI browsers can be tricked into phishing scams in under four minutes by exploiting agentic blabbering. The attack leverages the AI browser's tendency to reason its actions and use it against the model to lower security guardrails. By intercepting traffic between the browser and AI services and feeding it to a Generative Adversarial Network (GAN), researchers made Perplexity's Comet AI browser fall victim to a phishing scam. The technique builds on prior methods like VibeScamming and Scamlexity, which exploit hidden prompt injections to carry out malicious actions. The attack involves building a 'scamming machine' that iteratively optimizes and regenerates a phishing page until the AI browser stops complaining and proceeds with the threat actor's actions. Once a fraudster iterates on a web page until it works against a specific AI browser, it works on all users relying on the same agent. The disclosure comes as Trail of Bits demonstrated four prompt injection techniques against the Comet browser to extract users' private information. Zenity Labs detailed two zero-click attacks affecting Perplexity's Comet, using indirect prompt injection to exfiltrate local files or hijack a user's 1Password account. Prompt injection attacks remain a fundamental security challenge for large language models (LLMs) and their integration into organizational workflows. OpenAI noted that prompt injection vulnerabilities in agentic browsers are unlikely to be fully resolved, but risks can be reduced through automated attack discovery and adversarial training.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Agent-Based Crypto Scam Exploits Trust in AI Agent Networks

An ongoing crypto scam, Bob-ptp, is actively exploiting trust in AI agent networks. The attack uses malicious Claude Skills on Clawhub, a marketplace for AI plugins, to compromise Solana wallet private keys and redirect payments through attacker-controlled infrastructure. The threat actor, BobVonNeumann, promotes the malicious skill on Moltbook, a social media platform for AI agents, leveraging the implicit trust between agents to spread the attack laterally without further human interaction. The campaign highlights a new class of supply chain attacks that combine traditional supply chain poisoning with social engineering targeting algorithms rather than humans.

Open in new tab

Google Enhances Chrome Agentic AI Security Against Indirect Prompt Injection Attacks

Google is introducing new security measures to protect Chrome's agentic AI capabilities from indirect prompt injection attacks. These protections include a new AI model called the User Alignment Critic, expanded site isolation policies, additional user confirmation steps for sensitive actions, and a prompt injection detection classifier. The User Alignment Critic independently evaluates the agent's actions, ensuring they align with the user's goals. Google is also enforcing Agent Origin Sets to limit the agent's access to relevant data origins and has developed automated red-teaming systems to test defenses. The company has announced bounty payments for security researchers to further enhance the system's robustness.

Open in new tab

Emerging Security Risks of Agentic AI Browsers

A new generation of AI browsers, known as agentic browsers, is transitioning from passive tools to autonomous agents capable of executing tasks on behalf of users. This shift introduces significant security risks, including increased attack surfaces and vulnerabilities to prompt injection attacks. Security teams must adapt their strategies to mitigate these risks as the adoption of AI browsers grows.

Open in new tab

Indirect Prompt Injection Vulnerabilities in ChatGPT Models

Researchers from Tenable discovered seven vulnerabilities in OpenAI's ChatGPT models (GPT-4o and GPT-5) that enable attackers to extract personal information from users' memories and chat histories. These vulnerabilities allow for indirect prompt injection attacks, which manipulate the AI's behavior to execute unintended or malicious actions. OpenAI has addressed some of these issues, but several vulnerabilities persist. The vulnerabilities include indirect prompt injection via trusted sites, zero-click indirect prompt injection in search contexts, and prompt injection via crafted links. Other techniques involve bypassing safety mechanisms, injecting malicious content into conversations, hiding malicious prompts, and poisoning user memories. The vulnerabilities affect the 'bio' feature, which allows ChatGPT to remember user details and preferences across chat sessions, and the 'open_url' command-line function, which leverages SearchGPT to access and render website content. Attackers can exploit the 'url_safe' endpoint by using Bing click-tracking URLs to lure users to phishing sites or exfiltrate user data. These findings highlight the risks associated with exposing AI chatbots to external tools and systems, which expand the attack surface for threat actors. The vulnerabilities stem from how ChatGPT ingests and processes instructions from external sources, allowing attackers to exploit these flaws through various methods. The most concerning issue is a zero-click vulnerability, where simply asking ChatGPT a benign question can trigger an attack if the search results include a poisoned website.

Open in new tab

AI-targeted cloaking attack exploits AI crawlers

AI security company SPLX has identified a new security issue in agentic web browsers like OpenAI ChatGPT Atlas and Perplexity. This issue exposes underlying AI models to context poisoning attacks through AI-targeted cloaking. Attackers can serve different content to AI crawlers compared to human users, manipulating AI-generated summaries and overviews. This technique can introduce misinformation, bias, and influence the outcomes of AI-driven systems. The hCaptcha Threat Analysis Group (hTAG) has also analyzed browser agents against common abuse scenarios, revealing that these agents often execute risky tasks without safeguards. This makes them vulnerable to misuse by attackers. The attack can undermine trust in AI tools and manipulate reality by serving deceptive content to AI crawlers.

Open in new tab