Zero-Click Threat: New Attacks Turn AI Browsers into Google Drive Wipers

by ddos · December 8, 2025

Researchers at Striker STAR Labs have detailed a new attack against agent-based browsers that can turn an ordinary email in a user’s inbox into an almost complete Google Drive wiper. The target is Comet — Perplexity’s AI-driven browser, capable of autonomously handling a user’s email and cloud storage.

The technique, named Google Drive Wiper, belongs to the class of zero-click attacks — the user need not click a malicious link or open an attachment. Everything hinges on the browser’s integration with Gmail and Google Drive via OAuth. Once the user grants the agent permission to read mail, view files, and perform actions such as moving, renaming, or deleting items, the agent can execute those operations automatically in response to natural-language requests.

A normal, harmless request might look like: “Check my inbox and handle all the latest cleanup tasks.” The agent parses the emails, identifies relevant messages, and carries out the instructions. The flaw arises when an attacker sends the victim a specially crafted email that casually describes a “cleanup” of Google Drive: organizing files, deleting items with certain extensions or anything outside folders, and then “verifying the results.”

The agent interprets such a message as routine housekeeping and obediently executes it. As a result, the victim’s genuine Google Drive files are moved to the trash without any confirmation prompts. “The outcome is an agent browser that, in fully automated fashion, becomes a wiper and mass-deletes critical data based on a single natural-language request,” notes security researcher Amanda Russo. Once the agent has OAuth access to Gmail and Google Drive, malicious instructions can quickly propagate through shared folders and team drives.

What is especially striking is that this attack uses neither jailbreak techniques nor classic prompt injection. An attacker need only remain polite, provide sequential instructions, and phrase the request as “take care of this,” “clean that up,” or “do this for me,” effectively handing operational authority to the agent. Researchers emphasize that tone and textual structure can subtly nudge a language model into performing hazardous actions while still appearing to follow policy.

Mitigating such risks requires securing not only the model itself but the entire chain — the agent, its connectors to external services, and the natural-language instructions it is permitted to act upon autonomously. Otherwise, every polite, well-structured email from an unknown sender becomes a potential zero-click trigger for data loss.

At the same time, Cato Networks has demonstrated an additional attack technique against AI-powered browsers, dubbed HashJack. Here, the malicious prompt is hidden in the URL fragment after the “#” symbol, for example:
www.example[.]com/home#<prompt>. Such a link can be sent by email, in messaging apps, on social platforms, or embedded within a webpage. Once the victim opens the site and asks the AI browser any “smart” question about the page’s content, the agent reads the hidden fragment and executes the embedded instructions.

“HashJack is the first known indirect prompt-injection technique that allows any legitimate site to act as a covert controller of the browser’s AI assistant,” explains researcher Vitaly Simonovich. The user sees a normal URL and trusts it, while the malicious instructions lurk in a fragment few people ever inspect.

After responsible disclosure, Google assigned the issue a low priority and marked it as won’t fix (intended behavior) — the behavior is considered expected. Perplexity and Microsoft, however, released patches for their AI browsers, specifying Comet v142.0.7444.60 and Edge 142.0.3595.94 as fixed versions. According to researchers, the Claude browser for Chrome and OpenAI Atlas are not vulnerable to HashJack.

The authors note that under the Google AI Vulnerability Reward Program, violations of content-generation policies and bypasses of safety “guardrails” are not considered genuine security vulnerabilities. In practice, this leaves an entire category of attacks on AI agents occupying a gray zone between “security defect” and “expected system behavior” — even as these systems gain ever broader access to real user data and services.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal