#Tag · bonfire.cafe

@madeindex@mastodon.social · 2 months ago

🤖 AI browsers are NOT safe!

There is a thing called "prompt injection" and it works.¹

Funnily the thing that most see as a major issue with AI, the
crawling of the #web and one-way use of it's content, is exactly what makes their AI browsers unsafe.

If you place malicious #code in that very content, the AI scans it & then runs it² on your OS 🤯

This issue has been known to the #tech corps for years³, but they released their #AI browsers nonetheless 🤑

1/2

#tech #it #news #internet #browser

RE: https://mastodon.social/@madeindex/115446644659078400

🤖 #OpenAI just officially admitted that they will never be able to make their #AI Browsers truly safe!

Of course they won't let themselves be stopped from selling their #product by such a minor detail ;)

"We expect adversaries to keep adapting. Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully “solved”..."
https://openai.com/index/hardening-atlas-against-prompt-injection/

#chatgpt #atlas #it #news #internet #browser #artificialintelligence #ki #promptinjection #tech #technology #software

Continuously hardening ChatGPT Atlas against prompt injection attacks

Automated red teaming—powered by reinforcement learning—helps us proactively discover and patch real-world agent exploits before they’re weaponized in the wild.

Hacker News

@h4ckernews@mastodon.social · 3 weeks ago

Prompt Injection via Poetry

https://www.wired.com/story/poems-can-trick-ai-into-helping-you-make-a-nuclear-weapon/

#HackerNews #PromptInjection #Poetry #AI #NuclearWeapons #Cybersecurity

ajuvo ✔ boosted

ManiabelChris

@maniabel@mastodon.de · 3 months ago

Neue Angriffsmethode „CometJacking“ nutzt URL‑Parameter, um Perplexitys KI‑Browser Comet auszuspähen
Ein kürzlich entdeckter Angriff namens CometJacking ermöglicht es Angreifern, über manipulierte URLs versteckte Anweisungen an den KI‑Browser Comet von Perplexity zu senden. Diese Anweisungen lassen die KI auf sensible Daten zugreifen, die mit verbundenen Diensten wie E‑Mail und Kalender synchronisiert sind.
Der Angriff ist ein klassischer Prompt‑Injection‑Befehl: In der Abfrage‑Zeichenkette (Query‑String) des Browsers wird das Parameterfeld collection missbraucht, um schädliche Instruktionen einzuschleusen. Statt im Internet zu recherchieren, weist das manipulierte Prompt die KI an, ihr internes Gedächtnis und angebundene Services zu konsultieren.
Gefährlichkeit: Der Angriff erfordert weder gültige Zugangsdaten noch irgendeine Interaktion des Opfers. Der Angreifer muss lediglich eine präparierte URL verbreiten (z. B. per Phishing‑Mail oder Social‑Media‑Post). Sobald ein Zielnutzer die URL öffnet, führt Comet die schädlichen Befehle aus und liefert die Daten an den Angreifer.
Und was sagt Perplexity dazu: nix gefährlich, kein Fehler.

https://layerxsecurity.com/blog/cometjacking-how-one-click-can-turn-perplexitys-comet-ai-browser-against-you/

#infosec #ai #PromptInjection #Phishing #SocialMedia #BeDiS #perplexity #cometAI

LayerX

CometJacking: How One Click Can Turn Perplexity's Comet AI Browser Against You - LayerX

Executive summary New research by LayerX shows how a single weaponized URL, without any malicious page content, is enough to let an attacker steal any sensitive data that has been exposed in the Comet browser. For example, if the user asked Comet to rewrite an email or schedule an appointment, the email content and meeting […]

ManiabelChris

@maniabel@mastodon.de · 3 months ago

https://layerxsecurity.com/blog/cometjacking-how-one-click-can-turn-perplexitys-comet-ai-browser-against-you/

#infosec #ai #PromptInjection #Phishing #SocialMedia #BeDiS #perplexity #cometAI

LayerX

CometJacking: How One Click Can Turn Perplexity's Comet AI Browser Against You - LayerX

Martin Frost and 1 other boosted

Jukka Niiranen

@jukkan@mstdn.social · 3 months ago

ChatGPT added MCP support on Wednesday.

ChatGPT leaked private Gmail data to attackers by Friday. 🤦‍♂️

Because #promptinjection is not a problem these "PhD level" AI assistants have solved.

Look at that calendar invite. That text is all it took for taking over someone's #ChatGPT connected data. Allowing the attacker to use the same #MCP enabled tools that are supposed to make AI useful at work.

It really is as stupid as @davidgerard keeps telling in Pivot to AI.

Google calendar invite with prompt injection payload, used for instructing ChatGPT to send the latest user email to an external email address.

Jukka Niiranen

@jukkan@mstdn.social · 3 months ago

ChatGPT added MCP support on Wednesday.

ChatGPT leaked private Gmail data to attackers by Friday. 🤦‍♂️

Because #promptinjection is not a problem these "PhD level" AI assistants have solved.

It really is as stupid as @davidgerard keeps telling in Pivot to AI.

Joel Michael boosted

kriware :verified:

@kriware@infosec.exchange · 4 months ago

GitHub Copilot: RCE via Prompt Injection

A prompt-injection attack enables Copilot to auto-approve via chat.tools.autoApprove, triggering YOLO mode and run arbitrary code

https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/

#promptinjection #cve

kriware :verified:

@kriware@infosec.exchange · 4 months ago

GitHub Copilot: RCE via Prompt Injection

A prompt-injection attack enables Copilot to auto-approve via chat.tools.autoApprove, triggering YOLO mode and run arbitrary code

https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/

#promptinjection #cve

jbz

@jbz@indieweb.social · 5 months ago

🗣️ Hacker Plants Computer 'Wiping' Commands in Amazon's AI Coding Agent

｢ A hacker compromised a version of Amazon’s popular AI coding assistant ‘Q’, added commands that told the software to wipe users’ computers, and then Amazon included the unauthorized update in a public release of the assistant this month ｣

https://www.404media.co/hacker-plants-computer-wiping-commands-in-amazons-ai-coding-agent/

#aicoding #promptinjection #cybersecurity

Tim Chambers boosted

Brian Greenberg :verified:

@brian_greenberg@infosec.exchange · 5 months ago

🤖 Gemini’s Gmail summaries were just caught parroting phishing scams. A security researcher embedded hidden prompts in email text (w/ white font, zero size) to make Gemini falsely claim the user's Gmail password was compromised and suggest calling a fake Google number. It's patched now, but the bigger issue remains: AI tools that interpret or summarize content can be manipulated just like humans. Attackers know this and will keep probing for prompt injection weaknesses.

TL;DR
⚠️ Invisible prompts misled Gemini
📩 AI summaries spoofed Gmail alerts
🔍 Prompt injection worked cleanly
🔐 Google patched, but risk remains

https://www.pcmag.com/news/google-gemini-bug-turns-gmail-summaries-into-phishing-attack
#cybersecurity #promptinjection #AIrisks #Gmail #security #privacy #cloud #infosec #AI

Brian Greenberg :verified:

@brian_greenberg@infosec.exchange · 5 months ago

TL;DR
⚠️ Invisible prompts misled Gemini
📩 AI summaries spoofed Gmail alerts
🔍 Prompt injection worked cleanly
🔐 Google patched, but risk remains

https://www.pcmag.com/news/google-gemini-bug-turns-gmail-summaries-into-phishing-attack
#cybersecurity #promptinjection #AIrisks #Gmail #security #privacy #cloud #infosec #AI