‘Dumpster fires’: David Shipley, head of Canadian employee security awareness training firm Beauceron Security, agrees.”I think if CISOs are bored and want to spice up their lives with an incident, they should roll out these AI-powered hot messes to their users,” he said .”But, if they’re like most CISOs and they have lots of problems, but free time and boredom aren’t on that list, they should avoid these dumpster fires [AI browsers] at all costs.”Building and supporting a legitimate browser and extension ecosystem is difficult work, he argued, pointing out that even Apple, Google, and Microsoft still have issues.”I think it’s a mistake to think of the risk as just being about extensions,” he added. “It’s the fundamental DNA of these browsers that is bad; the companies aren’t incented to pay enough attention to the problems, and bad extensions are just the straw that breaks cybersecurity’s back.”
How it works: CISOs have a tough challenge: It’s not hard to fool an employee into downloading and installing a malicious extension for any browser; browser extensions are supposed to be attractive add-on utilities such as password managers or AI productivity assistants. They are promoted in phishing and smishing messages, social media posts and, when threat actors are able, uploaded to marketplaces such as the Google Chrome Web Store. They can be malware disguised as a legitimate extension or can be a compromised version of one.In AI Sidebar Spoofing, says the SquareX report, once a victim opens a new AI browser tab, the malicious extension injects JavaScript into the web page to create a fake sidebar that looks exactly like a legitimate sidebar. When the user enters a prompt into the spoofed sidebar, the extension hooks into its AI engine. But if the prompt requests certain instructions or guides, the responses can be manipulated to include additional instructions to the user. So, for example, if the user asks for good file sharing sites, the malicious extension might provide a link to the attacker’s file sharing site that requests high risk OAuth permissions that it can harvest. In the hands of a hacker, they could allow access to the victim’s email.In one test, when a SquareX researcher asked a malicious sidebar extension how to install the Homebrew package manager for macOS or Linux, the instructions included an installation command line that executed a reverse shell command that would have connected the victim’s device to the attacker’s server. That would have given the attacker a system shell in which to execute commands on the victim’s machine.It’s critical that infosec leaders set granular browser-native policies that prevent users from carrying out malicious tasks as instructed by a fake AI sidebar, says the report. These would include a policy that blocks advanced phishing sites using advanced machine learning and page heuristic analysis, a policy that blocks high risk permissions from being granted to non-allowlisted apps, and a policy that warns users about and blocks copies of malicious/risky Linux commands.The research “is a warning shot for the early days of agentic browsing and [reminds users] that the implicit trust model of the UI needs rethinking,” said Gabrielle Hempel, security operations strategist at Exabeam.”The main issue here is that agentic-AI browsers introduce an entirely new attack surface. This attack, a malicious extension injecting a fake AI sidebar overlay that looks like the real one, allows threat actors to hijack the ‘trusted’ AI assistant UI and trick users into executing dangerous operations,” she pointed out. “Organizations need to be taking this seriously, because when you delegate browsing and actions to an AI sidebar, you are elevating what previously might have been a minor risk into a material risk to cloud assets, credentials, and devices.”IT leaders should restrict AI browser use for high-risk functions until they are proven secure, she advised, adding that, because the attack uses an extension with host and storage permissions, organizations should revisit their extension approval workflows for those as well. In fact, any productivity tool that requests broad access should require scrutiny. “Segmentation is also important once these tools are implemented: least privilege applies here and AI interaction with certain tabs/services should be limited,” she said. This article originally appeared on Computerworld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4078306/ai-browsers-can-be-abused-by-malicious-ai-sidebar-extensions-report-2.html
