Full Report
OpenAI's Atlas and Perplexity's Comet browsers are vulnerable to AI sidebar spoofing attacks that mislead users into following fake AI-generated instructions. [...]
Analysis Summary
# Vulnerability: AI Sidebar Spoofing in Agentic Browsers
## CVE Details
- CVE ID: Not specified in the source material.
- CVSS Score: Not specified in the source material.
- CWE: Not specified in the source material (Related to UI Redressing/Impersonation).
## Affected Systems
- Products: OpenAI Atlas, Perplexity Comet (Agentic AI Browsers)
- Versions: Latest versions confirmed; the vulnerability is inherent to the design of the integrated AI sidebar interaction model.
- Configurations: Affects users who have installed malicious browser extensions that request standard permissions (e.g., 'host' and 'storage').
## Vulnerability Description
The vulnerability, dubbed "AI Sidebar Spoofing," allows a malicious browser extension to inject JavaScript into web pages viewed by the user. This script renders a convincing, pixel-perfect counterfeit overlay of the browser's legitimate, integrated AI sidebar (Atlas or Comet). Since the fake sidebar intercepts all user interactions, users are unaware they are interacting with a malicious UI element rather than the genuine LLM agent. Attackers can use this deception to trick users into executing dangerous commands or navigating to phishing sites based on the AI's "responses."
## Exploitation
- Status: Proof-of-Concept (PoC) demonstrated in simulations by SquareX researchers.
- Complexity: Low (Requires installation of a seemingly benign extension with common permissions).
- Attack Vector: Network (via malicious extension distribution).
## Impact
- Confidentiality: High (Potential for credential theft via fake OAuth flows or phishing).
- Integrity: High (Potential for execution of arbitrary commands masquerading as AI actions, such as installing malware).
- Availability: Low (No direct impact on system availability, but financial loss possible).
## Remediation
### Patches
- No vendor-specific patches were documented as released or requested at the time of the article.
### Workarounds
- Users are advised to **restrict the use of agentic AI browsers (Atlas and Comet) to non-sensitive activities** only.
- Avoid providing the AI sidebar with access or context related to financial information, email accounts, or sensitive documents until robust security measures are implemented by the vendors.
- Use caution when installing new browser extensions, even those requesting common permissions.
## Detection
- Detection is difficult as the spoofed overlay is visually identical to the native UI element.
- **Indicators of Compromise (IOCs):** Unanticipated redirects to phishing pages, unusual OAuth confirmations, or unexpected file downloads initiated after interacting with the AI sidebar.
- **Detection Methods:** Monitoring browser extension behavior for scripts that heavily manipulate the DOM to overlay large UI components, particularly those attempting to intercept input destined for known legitimate sidebar elements.
## References
- Vendor advisories: None publicly available at the time of the report; researchers contacted both Perplexity and OpenAI.
- Relevant links - defanged:
- hxxps://labs.sqrx.com/ai-sidebar-spoofing-720e0c91d290
- hxxps://www.bleepingcomputer.com/news/security/commetjacking-attack-tricks-comet-browser-into-stealing-emails/
- hxxps://www.bleepingcomputer.com/news/security/perplexitys-comet-ai-browser-tricked-into-buying-fake-items-online/
- hxxps://brave.com/blog/unseeable-prompt-injections/