AI agents that can browse the Web and perform tasks on your behalf have incredible potential but also introduce new security risks.
We recently found, and disclosed, a concerning flaw in Perplexity's Comet browser that put users' accounts and other sensitive info in danger.
This security flaw stems from how Comet summarizes websites for users.
When processing a site's content, Comet can't tell content on the website apart from legitimate instructions by the user. This means that the browser will follow commands hidden on the site by an attacker.
These malicious instructions could be white text on a white background or HTML comments. Or they could be a social media post.
If Comet sees the commands while summarizing, it will follow them even if they could hurt the user. This is an example of an indirect prompt injection.
One example attack: 1. A Comet user sees a Reddit thread where one comment has hidden instructions.
2. The user asks Comet to summarize the thread.
3. Comet follows the malicious instructions to find the user's Perplexity login details and send them to the attacker.
This attack demonstrates the risks presented by AI agents operating with full user authentication across multiple sites.
New security measures are needed to make agentic browsing safe.
In today's blog post, we share more details on this vulnerability and discuss potential protections against other attacks of this nature.
New testing confirms that Brave for Android is outperforming the competition. 🏆
It's faster, uses less battery and CPU, and consumes less mobile data and Wi-Fi bandwidth than other major browsers. 🧵
We conducted performance tests with a Google Pixel 6a using our open-source BLaDE infrastructure.
In the tests, we measured Brave against four competing browsers: Chrome, DuckDuckGo, Edge and Firefox.
Here's what we found...
Battery and CPU:
Brave uses 3.9% less energy than Chrome, Edge, and Firefox and 5.5% less CPU on average.
It uses 23.7% less energy and 17.6% less CPU than DuckDuckGo. On review, we found a resource management issue in DDG that we shared with its team: github.com/duckduckgo/And…
Brave and @InputOutputHK are teaming up to integrate Cardano's blockchain into our browser's multi-chain wallet.
When the integration is live, Brave Wallet users will be able to directly access Cardano to manage native assets like NIGHT, engage in governance, and seamlessly swap tokens.
This update expands Brave's multi-chain capabilities beyond its existing support for networks like Ethereum and Solana.
We're excited to make Web3 more accessible and secure for Brave and Cardano users.
Google has lied repeatedly to Chrome users about plans to protect their privacy.
This week, it broke yet another promise. 🧵
In 2020, Google announced plans to remove third-party cookies from Chrome by 2022.
Then Google delayed the removal of these trackers to 2023.
Then Google delayed it to 2024.
Last summer, the company announced it wouldn't block third-party cookies after all.
While Google dragged its feet, nearly every other browser began blocking third-party cookies.
Chrome is now the worst browser for user privacy by far. Users' data is collected through cookies (and other tracking methods) so they can be targeted with ads.
Google Chrome's proposed "Related Website Sets" (RWS) feature will further undermine Chrome users' privacy.
RWS allows companies to track you across sites without your knowledge.
If two sites are owned by the same organization, Chrome will allow third-party cookies between them.
This would let Google link YouTube videos you watch to your Google profile, even when you’re not logged into YT, and even after third-party cookies are deprecated in Chrome.
Google justifies RWS by saying that users expect two sites owned by the same company to share data.
However, a study we conducted with @univofstandrews, @imperialcollege, and @hkust showed that users can't consistently tell if two sites are related: brave.com/blog/related-w…