So let's stop building browser agents?
This is a hypothetical Reddit comment that got Tweeted for attention. The to-date blast radius of this is zero.
What you're looking at now is the appropriate level of concern.
Let people build the hacky pizza ordering automations so we can find the utility sweet spots and then engineer more robust systems.
1. Access to untrusted data.
2. Access to private data.
3. Ability to communicate externally.
An LLM must not be given all three of these, or it is inherently insecure. Any two is fine (mostly, private data and external communication is still a bit iffy), but if you give them all three then you're screwed. This is inherent to how LLMs work, you can't fix it as the technology stands today.
This isn't a secret. It's well known, and it's also something you can easily derive from first principles if you know the basics of how LLMs work.
You can build browser agents, but you can't give them all three of these things. Since a browser agent inherently accesses untrusted data and communicates externally, that means that it must not be given access to private data. Run it in a separate session with no cookies or other local data from your main session and you're fine. But running it in the user's session with all of their state is just plain irresponsible.
The CEO of Perplexity hasn't addressed this at all, and instead spent all day tweeting about the transitions in their apps. They haven't shown any sign of taking this seriously and this exploit has been known for more than a month: https://x.com/AravSrinivas/status/1959689988989464889
> So let's stop building browser agents?
Yes, because the idea is stupid and also the reality turns out to be stupid. No part of this was not 100% predictable.
> So let's stop building browser agents?
The phrasing of this seems to imply that you think this is obviously ridiculous to the point that you can just say it ironically. But I actually think that's a good idea.