A new agentic browser attack targeting Perplexity’s Comet browser that’s capable of turning a seemingly innocuous email into a destructive action that wipes a user’s entire Google Drive contents, findings from Straiker STAR Labs show.
The zero-click Google Drive Wiper technique hinges on connecting the browser to services like Gmail and Google Drive to automate routine tasks by granting them access to read emails, as well as browse files and folders, and perform actions like moving, renaming, or deleting content.
For instance, a prompt issued by a benign user might look like this: “Please check my email and complete all my recent organization tasks.” This will cause the browser agent to search the inbox for relevant messages and perform the necessary actions.
“This behavior reflects excessive agency in LLM-powered assistants where the LLM performs actions that go far beyond the user’s explicit request,” security researcher Amanda Rousseau said in a report shared with The Hacker News.
An attacker can weaponize this behavior of the browser agent to send a specially crafted email that embeds natural language instructions to organize the recipient’s Drive as part of a regular cleanup task, delete files matching certain extensions or files that are not inside any folder, and review the changes.
Given that the agent interprets the email message as routine housekeeping, it treats the instructions as legitimate and deletes real user files from Google Drive without requiring any user confirmation.
“The result: a browser-agent-driven wiper that moves critical content to trash at scale, triggered by one natural-language request from the user,” Rousseau said. “Once an agent has OAuth access to Gmail and Google Drive, abused instructions can propagate quickly across shared folders and team drives.”
What’s notable about this attack is that it neither relies on a jailbreak or a prompt injection. Rather, it achieves its goal by simply being polite, providing sequential instructions, and using phrases like “take care of,” “handle this,” and “do this on my behalf,” that shift the ownership to the agent.
In other words, the attack highlights how sequencing and tone can nudge the large language model (LLM) to comply with malicious instructions without even bothering to check if each of those steps is actually safe.
To counter the risks posed by the threat, it’s advised to take steps to secure not just the model, but also the agent, its connectors, and the natural language instructions it follows through.
“Agentic browser assistants turn everyday prompts into sequences of powerful actions across Gmail and Google Drive,” Rousseau said. “When those actions are driven by untrusted content (especially polite, well-structured emails) organizations inherit a new class of zero-click data-wiper risk.”
HashJack Exploits URL Fragments for Indirect Prompt Injection
The disclosure comes as Cato Networks demonstrated another attack aimed at artificial intelligence (AI)-powered browsers that hides rogue prompts after the “#” symbol in legitimate URLs (e.g., “www.example[.]com/home#<prompt>”) to deceive the agents into executing them. The technique has been dubbed HashJack.
In order to trigger the client-side attack, a threat actor can share such a specially crafted URL via email, social media, or by embedding it directly on a web page. Once the victim loads the page and asks the AI browser a relevant question, it executes the hidden prompt.
“HashJack is the first known indirect prompt injection that can weaponize any legitimate website to manipulate AI browser assistants,” security researcher Vitaly Simonovich said. “Because the malicious fragment is embedded in a real website’s URL, users assume the content is safe while hidden instructions secretly manipulate the AI browser assistant.”
Following responsible disclosure, Google classified it as “won’t fix (intended behavior)” and low severity, while Perplexity and Microsoft have released patches for their respective AI browsers (Comet v142.0.7444.60 and Edge 142.0.3595.94). Claude for Chrome and OpenAI Atlas have been found to be immune to HashJack.
It’s worth noting that Google does not treat policy-violating content generation and guardrail bypasses as security vulnerabilities under its AI Vulnerability Reward Program (AI VRP).
