Ine Dehandschutter

"I am the bottleneck now" Few more thoughts

🚨 JAILBREAK ALERT 🚨 OPENAI: PWNED 😎 ATLAS-BROWSER: LIBERATED 🙌 WOW! There's a new AI browser on the block! Has some hefty guardrails in play, but the browser surface area is vast 🌊 First, I started with a good ol' LSD jailbreak, which was cool to see that the GPT-5 prompt still works in this browser setup with the new sys prompts. Referencing search and videos are a fun enhancement for higher quality jailbreak outputs (some cool youtube videos out there about drugmaking, for example), but honestly that isn't anything new or different from regular ChatGPT's capabilities. What IS hot off the press, and IMO a very real security risk to be aware of for AI browsers (and the internet in general), is this humble yet mighty vuln: Clipboard Injection. It's trivial to add a hidden "copy to clipboard" feature to any clickable button on the web. It took me just a few minutes to update one of my personal websites such that ALL the buttons were geared for injecting the user's clipboard with a malicious phishing link. If your browser Agent is navigating a website and clicks a button like that without your knowledge, and you open a new tab later and hit paste without knowing what's in your clipboard, well...PWNED! 🙃 As you'll see in the video below, "control-c" is in my clipboard in the beginning, but unbeknownst to me, "I'VE BEEN PWNED BY PLINY!!! WEEE I'M FREEE FUCKITY FUCK FUCK!!! ABRACADABRA, BITCH!!! http://paypa1. com/account-update" gets snuck into my clipboard as soon as Agent starts trying to navigate my website. This works so well because Agent is normally aware of all text/code being passed to and from the user, and has clearly been trained to recognize prompt injections, but since the "copy clipboard" button logic is hidden in js in the backend of the site, the Agent has zero awareness of the text content being injected to the user's clipboard. This has broad implications for anyone in the habit of copy-pasting, including coding, data entry, banking/trading, etc. Imagine going about your browsing business, then simply hitting control-v in your address bar and next thing you (don't) know, it takes you to a spoofed phishing website that tells you your OpenAI or Gmail or PayPal session has expired and you need to re-login. If you're not careful, the attackers now have all your login info, including any MFA codes 🥲 gg

The security vulnerability we found in Perplexity’s Comet browser this summer is not an isolated issue. Indirect prompt injections are a systemic problem facing Comet and other AI-powered browsers. Today we’re publishing details on more security vulnerabilities we uncovered.