Agentic Browsers

The always worth reading Simon Willison has a very clear, eye opening take on a recent security issue the Brave team (who are working on an Agentic Browser) discovered in Perplexity Commet (a competing Agentic Browser).

Here’s where things get difficult: Brave themselves are developing an agentic browser feature called Leo. Brave’s security team describe the following as a “potential mitigation” to the issue with Comet:

The browser should clearly separate the user’s instructions from the website’s contents when sending them as context to the model. The contents of the page should always be treated as untrusted.

If only it were that easy! This is the core problem at the heart of prompt injection which we’ve been talking about for nearly three years - to an LLM the trusted instructions and untrusted content are concatenated together into the same stream of tokens, and to date (despite many attempts) nobody has demonstrated a convincing and effective way of distinguishing between the two.

Oof. This gets back to “Start to Exfil” and the broader questions of how the hell do you let an AI read unprotected content and have access to private data?

The short answer for right now appears to be: you can not!