Google adds prompt injection defenses to Chrome

News
By published

There's an AI that checks what the other AIs are doing

AI image
(Image credit: Getty Images/Surasak Suwanmake)
  • Google strengthens Chrome against indirect prompt injection attacks with new defenses
  • Features: User Alignment Critic & Agent Origin Sets for safer agent actions
  • Agents now log activity and seek approval before accessing sensitive sites

Google is adding new defenses to the Chrome browser, to make sure its agentic capabilities cannot be abused through indirect prompt injection.

Indirect prompt injection is a type of attack in which the AI agent reads third-party content (for example, an incoming email) and executes it.

An example would be a prompt to execute a crypto transaction from a browser wallet plugin written into an email. The text is in white color and in font size 0, so the victim can’t see it, but if they run the email through the AI for any reason, the agent might act on the prompt.

Catch the price drop- Get 30% OFF for Enterprise and Business plans

Catch the price drop- Get 30% OFF for Enterprise and Business plans

The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.

View Deal

User Alignment Critic and Agent Origin Sets

To make sure this doesn’t happen, Google now introduced additional security layers, including the User Alignment Critic, and Agent Origin Sets. User Alignment Critic is a feature that monitors the agent’s actions in an environment isolated from untrusted content.

“The User Alignment Critic runs after the planning is complete to double-check each proposed action,” Google explained.

“Its primary focus is task alignment: determining whether the proposed action serves the user’s stated goal. If the action is misaligned, the Alignment Critic will veto it. This component is architected to see only metadata about the proposed action and not any unfiltered untrustworthy web content, thus ensuring it cannot be poisoned directly from the web. It has less context, but it also has a simpler job — just approve or reject an action.”

Agent Origin Sets, on the other hand, makes sure the agent can only access data from origins that are related to the task it’s currently doing, or data that the user chose to share with the agent. “This prevents a compromised agent from acting arbitrarily on unrelated origins,” Google added. “For each task on the web, a trustworthy gating function decides which origins proposed by the planner are relevant to the task. The design is to separate these into two sets, tracked for each session.”

Finally, agents are now also allowed to create a work log for user observability and will ask explicit approval before navigating to sensitive sites such as banking or healthcare portals.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.