AI Sidebar Spoofing Puts ChatGPT Atlas, Perplexity Comet and Other Browsers at Risk – SecurityWeek
Hi, what are you looking for?
SquareX has shown how malicious browser extensions can impersonate AI sidebar interfaces.
By
Flipboard
Reddit
Whatsapp
Whatsapp
Email
Enterprise browser security firm SquareX has demonstrated how malicious browser extensions can impersonate AI sidebar interfaces for phishing and other nefarious purposes.
The attack method, named AI Sidebar Spoofing, has been demonstrated against Perplexity’s Comet and ChatGPT Atlas, OpenAI’s new web browser. However, SquareX contends this is a systemic flaw; not only AI browsers, but also Edge, Brave and Firefox, are susceptible.
AI sidebars are AI chat windows integrated into web browsers, typically displayed on the side of the screen, processing content on the current page or performing actions based on user prompts.
ChatGPT Atlas and Comet are dedicated AI browsers, but applications such as Edge and Chrome also integrate AI assistants powered by Copilot and Gemini. Firefox and Brave also have an AI sidebar, but they use third-party chatbots rather than having their own proprietary LLM.
SquareX researchers have shown how threat actors can spoof trusted AI sidebars in browsers by getting the targeted user to install a malicious browser extension. The extension can be created by the attacker from scratch and disguised as a harmless tool or it can be a legitimate extension that has been compromised and modified.
It’s worth noting that the malicious extension requires host and storage permissions, but the security firm pointed out that these are common permissions required by many popular extensions.
When the victim opens a new browser tab, the malicious extension injects JavaScript into the page to create a fake sidebar that is a perfect replica of the legitimate AI sidebar.
“Since there is no visual and workflow difference between the spoofed and real AI sidebar, the user will likely believe that they are interacting with the real AI browser sidebar,” SquareX explained.
“Once the user enters a prompt into the spoofed AI sidebar, the extension hooks into its LLM to generate a response. However, the key difference is when it detects prompts that request for certain instructions/guides, it will manipulate the responses to include malicious steps that the user will then execute,” it added.
SquareX has shown how AI Sidebar Spoofing can be leveraged for phishing and malware distribution. For instance, the malicious sidebar can direct users to a phishing site when they ask about cryptocurrency services.
If the victim wants help with the installation of an app that requires the execution of commands, the fake AI sidebar can display instructions for executing a reverse shell that provides remote access to the device, enabling the deployment of malware.
In addition to using malicious browser extensions, SquareX pointed out, attackers can set up websites that have a natively integrated spoofed AI sidebar. However, the attack vector involving malicious extensions is more significant as it can be executed on any website.
SquareX told SecurityWeek that its findings have been reported to Perplexity and OpenAI.
However, these types of vulnerabilities are typically difficult to fully address considering that a successful attack requires significant interaction from the victim.
OpenAI pointed out in the blog post announcing Atlas that it has added safeguards to prevent various risks. For instance, the ChatGPT agent cannot run code in the browser, download files, or install extensions, and it cannot access other apps on the device.
However, these types of protections have a limited effect if an attacker uses social engineering to trick the victim into installing an extension, interacting with the fake AI sidebar, and trusting the instructions provided by the chatbot.
Attacks involving malicious browser extensions were previously demonstrated against popular LLMs such as ChatGPT, Gemini, Copilot, Claude and DeepSeek.
Related: Neon Cyber Emerges From Stealth, Shining a Light Into the Browser
Related: GitHub Copilot Chat Flaw Leaked Data From Private Repositories
Related: Google DeepMind’s New AI Agent Finds and Fixes Vulnerabilities
Eduard Kovacs (@EduardKovacs) is the managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join this session as we dissect the Scattered Spider playbook to highlight key lessons organizations can apply to stay ahead of these persistent and evolving threats.
Designed for senior level cybersecurity leaders to discuss, share and learn innovative cybersecurity and risk management strategies.
Former CISA Chief Bridget Bean has joined The Heritage Foundation as visiting fellow.
Allan Friedman, often described as the Father of SBOMs, has joined NetRise as a strategic advisor.
Former IBM CTO of Security Talha Tariq has joined web development platform Vercel as CTO of Security.
If you are recruiting for a Field CISO, Field CTO, etc., or are looking to leverage a resource at your company in one of these roles, what are some things you should be aware of? (Joshua Goldfarb)
Balancing innovation with ethical governance is crucial for ensuring fairness, accountability, and public trust in the age of intelligent machines. (Steve Durbin)
How security posture management for AI can protect against model poisoning, excessive agency, jailbreaking and other LLM risks. (Etay Maor)
This year’s theme focuses on government entities and small and medium-sized businesses that are vital to protecting the systems and services that keep our communities running. (Torsten George)
Bringing politics into professional spaces undermines decision-making, collaboration, and ultimately weakens security teams. (Joshua Goldfarb)
Flipboard
Reddit
Whatsapp
Whatsapp
Email
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2025 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.
