Most active commenters

    ←back to thread

    Comet AI browser can get prompt injected from any site, drain your bank account

    (twitter.com)
    645 points helloplanets | 17 comments | 24 Aug 25 15:14 UTC | HN request time: 0.316s | source | bottom
    1. theideaofcoffee ◴[24 Aug 25 15:32 UTC] No.45004998[source]
    Beyond being a warning about AI, which is helpful, you really should be taking proper security precautions anyway. Personally, I have a separate browser that runs no extensions set aside that's solely dedicated to doing finance- and other PII-type things. It's set to start on private browsing mode, clear all cookies on quit and I use it only for that. There may be more things that I could do but that meets my threat threshold for now. I go through this for exactly the reason in the tweet.
    replies(8): >>45005107 #>>45005112 #>>45005240 #>>45005242 #>>45005255 #>>45005338 #>>45005378 #>>45005931 #
    2. brookst ◴[24 Aug 25 15:44 UTC] No.45005107[source]
    My bank assumes private browsing = hack attempt and makes login incredibly onerous, sadly.
    3. netsharc ◴[24 Aug 25 15:44 UTC] No.45005112[source]
    Gee, I really haven't considered your approach.. considering extensions can really be trojan horses for malware, that's a good idea..

    It's interesting how old phone OSes like BlackBerry had a great security model (fine-grained permissions) but when the unicorns showed up they just said "Trust us, it'll be fine..", and some of these companies provide browsers too..

    replies(1): >>45005172 #
    4. delusional ◴[24 Aug 25 15:50 UTC] No.45005172[source]
    > Trust us, it'll be fine..

    That's because their product is the malware. Anything they did to block malware would also block their products. If they white listed their products, competition laws would step in to force them to consider other providers too.

    replies(1): >>45011749 #
    5. zahlman ◴[24 Aug 25 15:57 UTC] No.45005240[source]
    ... Your bank's site works in private browsing mode?
    replies(1): >>45006041 #
    6. ◴[24 Aug 25 15:57 UTC] No.45005242[source]
    7. scared_together ◴[24 Aug 25 15:59 UTC] No.45005255[source]
    I thought that incognito mode in Chrome[0] and private mode in Firefox[1] already disables extensions by default.

    [0] https://support.google.com/chrome_webstore/answer/2664769?hl...

    [1] https://support.mozilla.org/en-US/kb/extensions-private-brow...

    replies(2): >>45005300 #>>45051227 #
    8. jraph ◴[24 Aug 25 16:04 UTC] No.45005300[source]
    Absolutely, except for extensions you explicitly want to have in private mode, which is opt-in.
    replies(1): >>45008669 #
    9. cube2222 ◴[24 Aug 25 16:08 UTC] No.45005338[source]
    Personally, I only use websites like that on mobile/tablet devices with more closed-down/sandboxed operating systems (I’d expect both iOS and Android from reputable brands to be just fine for that), and recommend the same to any relatives.
    10. _trampeltier ◴[24 Aug 25 16:13 UTC] No.45005378[source]
    I even have a separate user login for such things, a separate user for hobby things and a separate user for other things.
    11. ◴[24 Aug 25 17:20 UTC] No.45005931[source]
    12. sroussey ◴[24 Aug 25 17:32 UTC] No.45006041[source]
    You can use a different profile for banking and limit the extensions to be just your password manager.
    replies(1): >>45051275 #
    13. chrisjj ◴[24 Aug 25 23:13 UTC] No.45008669{3}[source]
    So? Extensions are opt-in in regular mode too.
    replies(1): >>45010535 #
    14. jraph ◴[25 Aug 25 05:32 UTC] No.45010535{4}[source]
    I'm agreeing with my parent comment, to which I'm adding some precision.
    15. dns_snek ◴[25 Aug 25 08:54 UTC] No.45011749{3}[source]
    > If they white listed their products, competition laws would step in to force them to consider other providers too.

    Uh, you're describing SafetyNet and at least a dozen similar anti-competitive measures by big tech. They've been doing this for years and regulators have basically been ignoring it. DMA over on the EU side hints at this changing but it's too little too late.

    16. dolmen ◴[28 Aug 25 12:14 UTC] No.45051227[source]
    private/incognito mode doesn't protect against XSS.
    17. dolmen ◴[28 Aug 25 12:20 UTC] No.45051275{3}[source]
    I'm not aware of a password manager (except the browser's builtin) that allows to limit itself to only a subset of the credentials it knows.

    In a "banking" browser profile, I want only the banking credentials to be available to browser. In all other browser profiles I don't want the banking credentials to be available.