←back to thread

Comet AI browser can get prompt injected from any site, drain your bank account

(twitter.com)
645 points helloplanets | 8 comments | 24 Aug 25 15:14 UTC | HN request time: 0s | source | bottom
Show context
ec109685 ◴[24 Aug 25 16:14 UTC] No.45005397[source]
It’s obviously fundamentally unsafe when Google, OpenAI and Anthropic haven’t released the same feature and instead use a locked down VM with no cookies to browse the web.

LLM within a browser that can view data across tabs is the ultimate “lethal trifecta”.

Earlier discussion: https://news.ycombinator.com/item?id=44847933

It’s interesting that in Brave’s post describing this exploit, they didn’t reach the fundamental conclusion this is a bad idea: https://brave.com/blog/comet-prompt-injection/

Instead they believe model alignment, trying to understand when a user is doing a dangerous task, etc. will be enough. The only good mitigation they mention is that the agent should drop privileges, but it’s just as easy to hit an attacker controlled image url to leak data as it is to send an email.

replies(7): >>45005444 #>>45005853 #>>45006130 #>>45006210 #>>45006263 #>>45006384 #>>45006571 #
snet0 ◴[24 Aug 25 17:07 UTC] No.45005853[source]
> Instead they believe model alignment, trying to understand when a user is doing a dangerous task, etc. will be enough.

Maybe I have a fundamental misunderstanding, but I feel like hoping that model alignment and in-model guardrails are statistical preventions, ie you'll reduce the odds to some number of zeroes preceeding the 1. These things should literally never be able to happen, though. It's a fools errand to hope that you'll get to a model where there is no value in the input space that maps to <bad thing you really don't want>. Even if you "stack" models, having a safety-check model act on the output of your larger model, you're still just multiplying odds.

replies(5): >>45006201 #>>45006251 #>>45006358 #>>45007218 #>>45007846 #
zulban ◴[24 Aug 25 19:57 UTC] No.45007218[source]
"These things should literally never be able to happen"

If we consider "humans using a bank website" and apply the same standard, then we'd never have online banking at all. People have brain farts. You should ask yourself if the failure rate is useful, not if it meets a made up perfection that we don't even have with manual human actions.

replies(3): >>45007312 #>>45007425 #>>45007768 #
echelon ◴[24 Aug 25 20:06 UTC] No.45007312[source]
The vast majority of humans would fall to bad security.

I think we should continue experimenting with LLMs and AI. Evolution is littered with the corpses of failed experiments. It would be a shame if we stopped innovating and froze things with the status quo because we were afraid of a few isolated accidents.

We should encourage people that don't understand the risks not to use browsers like this. For those that do understand, they should not use financial tools with these browsers.

Caveat emptor.

Don't stall progress because "eww, AI". Humans are just as gross.

We need to make mistakes to grow.

replies(2): >>45007347 #>>45007786 #
1. saulpw ◴[24 Aug 25 20:11 UTC] No.45007347[source]
We can continue to experiment while also going slowly. Evolution happens over many millions of years, giving organisms a chance to adapt and find a new niche to occupy. Full-steam-ahead is a terrible way to approach "progress".
replies(1): >>45007385 #
2. echelon ◴[24 Aug 25 20:16 UTC] No.45007385[source]
> while also going slowly

That's what risk-averse players do. Sometimes it pays off, sometimes it's how you get out-innovated.

replies(1): >>45007725 #
3. Terr_ ◴[24 Aug 25 20:59 UTC] No.45007725[source]
If the only danger is the company itself bankrupt, then please, take all the risks you like.

But if they're managing customer-funds or selling fluffy asbestos teddybears, then that's a problem. It's a profoundly different moral landscape when the people choosing the risks (and grabbing any rewards) aren't the people bearing the danger.

replies(1): >>45007843 #
4. echelon ◴[24 Aug 25 21:14 UTC] No.45007843{3}[source]
You can have this outrage when your parents are using browser user agents.

All of this concern is over a hypothetical Reddit comment about a technology used by early adopter technologists.

Nobody has been harmed.

We need to keep building this stuff, not dog piling on hate and fear. It's too early to regulate and tie down. People need to be doing stupid stuff like ordering pizza. That's exactly where we are in the tech tree.

replies(2): >>45009387 #>>45010318 #
5. wat10000 ◴[25 Aug 25 01:32 UTC] No.45009387{4}[source]
This AI browser agent is outright dangerous as it is now. Nobody has been attacked this way... that we know of... yet.

It's one thing to build something dangerous because you just don't know about it yet. It's quite another to build something dangerous knowing that it's dangerous and just shrugging it off.

Imagine if Bitcoin was directly tied to your bank account and the protocol inherently allowed other people to perform transactions on your wallet. That's what this is, not "ordering pizza."

6. forgetfreeman ◴[25 Aug 25 04:49 UTC] No.45010318{4}[source]
"We need to keep building this stuff" Yeah, we really don't. As in there is literally no possible upside for society at large to continuing down this path.
replies(1): >>45016790 #
7. const_cast ◴[25 Aug 25 18:02 UTC] No.45016790{5}[source]
Well if we eliminate greed and capitalism then maybe at some point we can reach a Star Trek utopia where nobody has to work because we eliminate scarcity.

... Either that or the wealthy just hoard their money-printers and reject the laborers because they no longer need us to make money so society gets split into 99% living in feudal squalor and 1% living as Gods. Like in Jupiter Ascending. Man what a shit movie that was.

replies(1): >>45021993 #
8. forgetfreeman ◴[26 Aug 25 03:35 UTC] No.45021993{6}[source]
We basically eliminated scarcity a few generations ago and yet here we are.