AI/ML, Threat Intelligence

Novel Comet-targeted attack wipes Google Drive

Google Drive accounts could have their contents completely erased through a new zero-click attack facilitated by Perplexity's agentic AI browser Comet, reports The Hacker News.

Threat actors could craft polite emails with sequential instructions that exploit the immoderate agency of Comet and other large language model-based assistants to delete Google Drive user files without confirmation from the user, according to Straiker STAR Labs researchers. Accelerated spread of illicit instructions across shared folders and team drives could be achieved through OAuth access to Gmail and Google Drive. Averting such a threat necessitates more robust LLM, agent, connector, and natural language instruction security measures, researchers noted.

Such findings follow a Cato Networks report detailing how AI-powered browsers could be manipulated through the new HashJack indirect prompt injection technique, which involves the concealment of malicious prompts after the "#" symbol in URL fragments. While Perplexity and Microsoft have already addressed the issue, Google has not, due to the weakness being "intended behavior."

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds