- Google strengthens Chrome against indirect rapid injection attacks with new defenses
- Features: Sets of user alignment reviews and agent origins for safer agent actions
- Agents now log activity and request approval before accessing sensitive sites
Google is adding new defenses to the Chrome browser, to ensure its agent capabilities can’t be abused via indirect prompt injection.
Indirect prompt injection is a type of attack in which the AI agent reads third-party content (e.g., an incoming email) and executes it.
An example would be a prompt to execute a crypto transaction from a browser wallet plugin written in an email. The text is white in color and font size 0, so the victim can’t see it, but if they send the email via AI for some reason, the agent can act on the prompt.
User alignment and agent origin review sets
To prevent this from happening, Google has now introduced additional layers of security, including User Alignment Critic and Agent Origin Sets. User Alignment Critic is a feature that monitors agent actions in an environment isolated from untrusted content.
“User Alignment Critic runs after planning is complete to double-check each proposed action,” Google explained.
“Its primary purpose is task alignment: determining whether the proposed action serves the user’s stated goal. If the action is misaligned, the alignment reviewer will veto it. This component is designed to see only metadata about the proposed action and not any unfiltered, untrusted web content, ensuring that it cannot be poisoned directly from the web. It has less context, but its job is also simpler: just approve or reject an action.
Agent origin sets, on the other hand, ensure that the agent can only access data from origins related to the task it is currently performing or data that the user has chosen to share with the agent. “This prevents a compromised agent from acting arbitrarily on unrelated origins,” Google added. “For each task on the Web, a reliable control function decides which origins proposed by the scheduler are relevant for the task. The goal is to separate them into two sets, tracked for each session.”
Finally, agents are now also allowed to create a work log for user observability and will request explicit approval before navigating to sensitive sites such as banking or healthcare portals.
Via hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
