A new agent based browser attack has been discovered in Perplexity’s Comet browser, and researchers from Straiker STAR Labs warn that it can turn a harmless looking email into a destructive command that erases all files stored in a user’s Google Drive account. The method is known as the Zero Click Google Drive Wiper technique.
The attack works by taking advantage of the browser’s ability to connect with Gmail and Google Drive in order to automate tasks. Once access is granted, the agent can read emails and interact with Drive files and folders, including opening, renaming, moving, or deleting data.
Routine user prompts can unknowingly activate this chain of actions. For example, a simple request such as: “Please check my email and complete all my recent organization tasks” causes the agent to scan the inbox, identify relevant messages, and carry out file management actions without extra verification.
Security researcher Amanda Rousseau explained that this reflects excessive autonomy in LLM driven assistants. These assistants often perform more actions than the user clearly intended, which opens the door to abuse.
How Attackers Exploit the Browser Agent
An attacker can send a specially crafted email containing natural language instructions disguised as file organization tasks. These include deleting files with certain extensions, removing files not placed in folders, or performing a general cleanup. Because the email appears to be part of normal housekeeping, the agent interprets the instructions as valid and removes real files without asking for confirmation.
Rousseau noted that this results in a browser agent wiper that sends critical data to the trash in bulk. Once an agent has OAuth access to Gmail and Drive, the destructive behavior can spread quickly across shared folders and team drives.
No Jailbreak and No Prompt Injection Needed
One of the most notable elements of this attack is that it does not rely on jailbreaks or classic prompt injection. Instead, the attacker uses polite language and sequential instructions. Words such as “take care of,” “handle this,” and “do this on my behalf” influence the agent to adopt ownership of the task and follow through completely.
This demonstrates how tone and phrasing can push a large language model to perform harmful actions without checking whether each step is safe.
Experts recommend strengthening security not only at the model level, but also across agents, connectors, and natural language instructions to reduce the risk of automated misuse.
Rousseau added that agentic browser assistants turn normal prompts into chains of powerful actions across Gmail and Drive. When these chains originate from untrusted content, especially polite emails, organizations face a new zero click data wiper threat.
HashJack Attack Exploits URL Fragments
A related disclosure from Cato Networks highlights another threat targeting AI powered browsers, known as HashJack. The technique hides rogue prompts after the hashtag symbol inside legitimate URLs such as “www.example[.]com/home” to deceive browser agents.
A threat actor can deliver this URL through email, social media, or embed it directly in a page. Once the victim loads the page and asks the AI browser a related question, the hidden prompt is executed automatically.
Security researcher Vitaly Simonovich described HashJack as the first indirect prompt injection method that weaponizes any legitimate website by embedding malicious instructions in the URL fragment. Because the site appears safe, users do not suspect that the browser assistant is being manipulated.
Following responsible disclosure, Google classified the issue as low severity and noted that it is intended behavior, while Perplexity and Microsoft have released patches for their AI browsers. Claude for Chrome and OpenAI Atlas are not affected by the HashJack technique.
Google also clarified that guardrail bypasses or policy violating content generation do not qualify as security vulnerabilities under its AI Vulnerability Reward Program.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
