Google plans to add a second Gemini-based model to Chrome to address security issues that arise from adding the first Gemini model to Chrome.
Google added a Gemini-powered chat window to its browser in September and promised that the software would soon gain agent functionality that allows it to interact with browser controls and other tools in response to prompts.
Allowing error-prone AI models to browse the web without human intervention is risky. The software could potentially import content from a maliciously crafted web page that tells it to ignore safety guardrails. This is known as “indirectly prompted injection.”
Google is aware of the risks posed by indirect prompt injection, and in a blog post on Monday, Chrome security engineer Nathan Parker rated it as “a major new threat facing all agent browsers.”
“This virus can appear on malicious sites, third-party content in iframes, or user-generated content such as user reviews, potentially leading agents to perform undesirable actions such as initiating financial transactions or exfiltrating sensitive data,” Parker wrote.
Due to the severity of this threat, IT consulting firm Gartner recently recommended that businesses block all AI browsers.
The Chocolate Factory, which has invested billions of dollars in AI infrastructure and services, wants people to embrace AI rather than avoid it. So the advertising industry is adding a second model to maintain Gemini-based agents.
Parker calls monitoring mechanisms “user-coordinated critics.”
“User-adjusted critics run after planning is complete to double-check each proposed action,” he explains. “Its main focus is task coordination and determining whether the proposed action meets the user's stated goals. If the action is not coordinated, the coordination critic will veto it.”
Parker said Google designed Critic so that attackers cannot contaminate it by exposing models to malicious content.
Having one machine learning model participate in moderating another has become an accepted pattern among AI companies. It was proposed by developer Simon Willison in 2023 and formally formalized in a Google DeepMind paper published this year. This technology is called “CaMeL”, which stands for “CAPabilities for MachineE Learning”.
Parker added that Google is also bringing Chrome's origin isolation capabilities to agent-driven site interactions.
The web security model is based on the same-origin policy. Sites should not access data from different origins (such as domains). Chrome also attempts to enforce site isolation unless CORS allows it. This places cross-site data in a separate process away from the web page process.
Google extended this design to agents using a technology called Agent Origin Sets, which aims to prevent Chrome-based AI from interacting with data from arbitrary origins. register We understand that Chrome developers are building some of this work, particularly the Origin Isolation extension, into the current build of the browser, and that other agent features will come in future releases.
Additionally, Google aims to make Chrome's agent interactions more transparent, so your instructions for tackling complex tasks won't fail when something goes wrong. The model/agent will ask the user for confirmation before navigating to a site that handles sensitive data (banks, medical sites, etc.). RoboBrowser also asks for confirmation before Chrome allows you to sign in to a site using Google Password Manager. And for sensitive web actions, such as making online purchases, sending messages, or other unspecified consequential actions, the agent only asks for permission or instructs the user to complete a final step.
Parker said that to help security researchers test Chrome's agent protection features, Google is revising its vulnerability bounty program (also known as bug bounty) and offering payments to those who discover flaws.
“We want to hear about significant vulnerabilities in this system and will pay up to $20,000 for anything that proves a breach of our security perimeter,” Parker said. ®
