Zero-click Agentic Browser Attack Can Delete Entire Google Drive...
A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show.
The zero-click Google Drive Wiper technique hinges on connecting the browser to services like Gmail and Google Drive to automate routine tasks by granting them access to read emails, as well as browse files and folders, and perform actions like moving, renaming, or deleting content.
For instance, a prompt issued by a benign user might look like this: "Please check my email and complete all my recent organization tasks." This will cause the browser agent to search the inbox for relevant messages and perform the necessary actions.
"This behavior reflects excessive agency in LLM-powered assistants where the LLM performs actions that go far beyond the user's explicit request," security researcher Amanda Rousseau said in a report shared with The Hacker News.
An attacker can weaponize this behavior of the browser agent to send a specially crafted email that embeds natural language instructions to organize the recipient's Drive as part of a regular cleanup task, delete files matching certain extensions or files that are not inside any folder, and review the changes.
Given that the agent interprets the email message as routine housekeeping, it treats the instructions as legitimate and deletes real user files from Google Drive without requiring any user confirmation.
"The result: a browser-agent-driven wiper that moves critical content to trash at scale, triggered by one natural-language request from the user," Rousseau said. "Once an agent has OAuth access to Gmail and Google Drive, abused instructions can propagate quickly across shared folders and team drives."
What's notable about this attack is that it neither relies on a jailbreak or a prompt injection. Rather, it achieves its goal by simply being polite, providing sequential instructions, and using phrases like "take care of," "handle this," and "do this on my behalf," that shift the ownership to the agent.
In other words, the attack highlights how sequencing and tone can nudge the large language model (LLM) to comply with malicious instructions without even bothering to check if each of those steps is actually safe.
To counter the risks posed by the threat, it's advised to take steps to secure not just the model, but also the agent, its connectors, and the natural lan
Source: The Hacker News
