Security researcher Johann Rehberger discovered a vulnerability in AI-powered web browsers that allows for indirect prompt injection attacks using URL fragments. The flaw, which the researcher named “Crescendo,” was demonstrated to affect features in both Arc Browser and Microsoft Copilot.

The ‘Crescendo’ Vulnerability Explained

The attack method utilizes the fragment identifier in a URL, which is the portion of the address that follows a hash (#) symbol. Web browsers typically process this fragment on the client side, meaning it is not sent to the web server. However, AI features integrated into browsers can read this information as part of the overall page content. Rehberger’s research showed that by embedding a malicious prompt within the URL fragment of a link, an attacker could command the browser’s AI to execute unintended actions after a user clicks the link.

Demonstrated Exploits on Arc and Copilot

Rehberger provided specific proof-of-concept demonstrations. For Microsoft Copilot, he crafted a link that caused the AI sidebar to display a fabricated email impersonating Microsoft Security. This fake message directed the user to run a PowerShell command. The provided command, if executed, copied the contents of a local file named secret.txt from the user’s Documents folder to their clipboard. In a separate demonstration targeting Arc Browser, a malicious prompt was used to instruct its “Arc Max” feature to make a false claim about who created a website.

The security researcher reported these findings to the affected browser vendors.

Source: https://www.csoonline.com/article/4097087/ai-browsers-can-be-tricked-with-malicious-prompts-hidden-in-url-fragments.html