- Google strengthens Chrome against indirect fast injection attacks with new defenses
- Features: Critical user alignment and agent source sets for safer agent actions
- Agents now log activity and seek approval before accessing sensitive sites
Google is adding new defenses to the Chrome browser to ensure that its agent capabilities cannot be abused through indirect immediate injection.
Tip injection is a type of attack in which the AI agent reads third-party content (for example, an incoming email) and executes it.
An example would be a message to execute a crypto transaction from a browser wallet plugin written in an email. The text is in white and font size 0, so the victim cannot see it, but if they pass the email through the AI for any reason, the agent could act as instructed.
Agent Source Sets and User Alignment Criticals
To make sure this doesn’t happen, Google has now introduced additional layers of security, including user alignment critical and agent source sets. User Alignment Critic is a feature that monitors agent actions in an isolated environment of untrusted content.
“User alignment critique runs after planning is complete to verify each proposed action,” Google explained.
“Its primary focus is task alignment: determining whether the proposed action serves the user’s stated goal. If the action is out of alignment, the Alignment Critic will veto it. This component is designed to see only metadata about the proposed action and not any unfiltered, untrusted web content, thus ensuring that it cannot be poisoned directly from the web. It has less context, but it also has a simpler job: simply approve or reject an action.”
Agent source sets, on the other hand, ensure that the agent can only access data from sources related to the task it is currently performing, or data that the user has chosen to share with the agent. “This prevents a compromised agent from acting arbitrarily on unrelated sources,” Google added. “For each task on the web, a reliable control function decides which origins proposed by the scheduler are relevant to the task. The design is to separate them into two sets, tracked for each session.”
Finally, agents can now also create a work record for user observability and will ask for explicit approval before navigating to sensitive sites like banking or healthcare portals.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
