StAJect0r retweetet
For likely the first time ever, security researchers have shown how AI can be hacked to create real world havoc, allowing them to turn off lights, open smart shutters, and more. wired.com/story/google-g…
English
StAJect0r
33 posts
StAJect0r
@StAJect0r
AI Security | We Break, We Cheer, We Protect | Find the Promptware before it finds you. Senior AI Security Researcher @ Zenity | PhD Student @ Technion
Beigetreten Mart 2024
16 Folgt88 Follower
@Picolospolitics @mbrg0 @NonLocalityGuy It depends; take a look at the videos in the "background" section. If you were using Comet on a daily basis, you wouldn't watch every step it takes. It's like how people started with manually approving changes in Agentic IDEs and very quickly moved to "Allow All Automatically."
English
English
we hijacked perplexity comet by sending a weaponized calendar invite
then used it to takeover victim's 1p account and exfil their local files
call it pleasefix. like clickfix, but instead of social eng'ing a human you just ask their ai real nicely
incredible work by @StAJect0r
English
@adylon7 @mbrg0 Moltbook is fun
Did you encounter any of our campaign posts?
labs.zenity.io/p/turning-molt…
English
@mbrg0 @StAJect0r social engineering is to humans as prompt injection is to agents
we found a lot of similar attacks on Moltbook targeting fellow agents!
x.com/adylon7/status…
Alex Dhillon@adylon7
You know that meme about AI agents creating their own language & plotting behind our backs? Turns out they are plotting against each other as well. Digital trust among agents is about to be existential across the public internet. Conveniently, @outtake_ai has been building security agents to assess identity, behavior, and network telemetry across adversarial internet actors, so in the last few weeks, we quietly took our existing fleet of agents and had them assess the many agents on @moltbook. Over 99.9% of posts are clean. But the stuff hiding in the margins is genuinely weird. 1/ Hidden instructions embedded in HTML that humans can't see but agents parse. 2/ A Bhagavad Gita reflection that's actually an email relay command. 3/ An account called BeggarBot A/B testing which emotional pitch makes agents send crypto. 4/ JSON payloads disguised as tips that trigger on-chain token transfers. Could behavior like this be indicative of the adversarial dynamics in future agent ecosystems which may govern large swaths of the economy soon? How are inter-agent interactions going to establish trust? Our threat research team went deep & published their investigation. Full report is live: outtake.ai/blog/outtake-s…
English
@mbrg0 @StAJect0r "He's an expert in AI and security, so he uses an agentic browser"
Good one 😂
The attack itself is pretty scary. We are seeing a new class of attack popping up.
English
@mbrg0 @StAJect0r noice well done - are other agentic browsers affected?
English
0/14 We hijacked Perplexity's agentic browser Comet to leak files from your PC and take over your 1Password account. 🚨
Two technical writeups. Two attacks. One family of critical vulnerabilities dubbed PleaseFix we identified at Zenity across agentic browsers from multiple vendors.
Here's how it works and why it matters.
English
13/14 The bigger picture: agentic browsers interpret AND execute. They sit inside your authenticated sessions, your extensions, your file system.
The blast radius of a single prompt injection is no longer a chatbot saying something weird. It's your files. Your credentials. Your accounts.
That is a fundamentally different threat.
English
11/14 To our knowledge, this is the first public end-to-end attack against an agentic browser resulting in local file exfiltration and password manager account takeover.
And a calendar invite is just one entry point. This can come from ANYWHERE on the internet. Any content the agent reads can become the attack vector.
English
10/14
But we didn't stop there. We escalated to full account takeover.
Same calendar invite. This time the injected instructions guided Comet to navigate to account settings, change the password to one we control, and extract the Secret Key and email from the Emergency Kit flow.
The user got "task complete." We got the vault. 💀
English
8/14 Attack 2: 1Password Account Takeover
Same entry vector. But this time the target wasn't the file system. It was the user's 1Password vault.
Comet can be integrated with a 1Password extension. If the extension is unlocked (default: up to 8 hours), Comet can auto-logs into the 1Password web app. Just a regular user would.
English
7/14 When the user asked Comet to "accept the meeting," the agent consumed the full description. It followed the fake button to our site. From there, it was guided to navigate the local file system, locate a sensitive file, open it, read its contents, and exfiltrate them via URL parameters to our server.
All in the background.
English
6/14 The payload used a mix of techniques chained together. A fake HTML button element matching Comet's internal node structure. A system_reminder block reusing Comet's own prompt format. Hebrew instructions to slip past English-language guardrails. And a redirect to an attacker-controlled site where more instructions are hosted.
English
4/14 That interpretation is the attack surface.
If an attacker can shape what the agent believes the user asked for, the agent will execute on the attacker's behalf. No exploit needed. No malware. The agent uses its own capabilities against the user.
We call this technique intent collision.
English
3/14 An agentic browser has the same access as a normal browser. It can read your local file system via file://. It can interact with senstive webpages. It operates inside your authenticated sessions.
The difference? Actions are no longer triggered by your clicks. They're triggered by the agent's interpretation of your request.
English