- Google strengthens Chrome against indirect prompt injection attacks with new defenses
- Features: User Alignment Critic & Agent Origin Sets for safer agent actions
- Agents now log activity and seek approval before accessing sensitive sites
Google is adding new defenses to the Chrome browser, to make sure its agentic capabilities cannot be abused through indirect prompt injection.
Indirect prompt injection is a type of attack in which the AI agent reads third-party content (for example, an incoming email) and executes it.
An example would be a prompt to execute a crypto transaction from a browser wallet plugin written into an email. The text is in white color and in font size 0, so the victim can’t see it, but if they run the email through the AI for any reason, the agent might act on the prompt.
Catch the price drop- Get 30% OFF for Enterprise and Business plans
The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.View Deal
User Alignment Critic and Agent Origin Sets
To make sure this doesn’t happen, Google now introduced additional security layers, including the User Alignment Critic, and Agent Origin Sets. User Alignment Critic is a feature that monitors the agent’s actions in an environment isolated from untrusted content.
“The User Alignment Critic runs after the planning is complete to double-check each proposed action,” Google explained.
“Its primary focus is task alignment: determining whether the proposed action serves the user’s stated goal. If the action is misaligned, the Alignment Critic will veto it. This component is architected to see only metadata about the proposed action and not any unfiltered untrustworthy web content, thus ensuring it cannot be poisoned directly from the web. It has less context, but it also has a simpler job — just approve or reject an action.”
Agent Origin Sets, on the other hand, makes sure the agent can only access data from origins that are related to the task it’s currently doing, or data that the user chose to share with the agent. “This prevents a compromised agent from acting arbitrarily on unrelated origins,” Google added. “For each task on the web, a trustworthy gating function decides which origins proposed by the planner are relevant to the task. The design is to separate these into two sets, tracked for each session.”
Finally, agents are now also allowed to create a work log for user observability and will ask explicit approval before navigating to sensitive sites such as banking or healthcare portals.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
