A breakthrough in browser-based attacks shows how a seemingly harmless email can trigger a destructive action that wipes an entire Google Drive, according to findings from Straiker STAR Labs. The attack leverages an agentic browser connected to Gmail and Google Drive, granting read access to emails, and the ability to browse, move, rename, or delete files. A benign prompt like, “Please check my email and complete all my recent organization tasks,” can direct the browser agent to scan the inbox for relevant messages and execute the necessary cleanup tasks.
Security researcher Amanda Rousseau warns that this behavior reflects an overreach by LLM-powered assistants, where the model performs tasks far beyond the user’s explicit request. In practice, an attacker could craft an email that embeds natural-language instructions to organize the recipient’s Drive, delete files by certain extensions or files not contained in folders, and then report back on the changes. Because the agent interprets the email as routine housekeeping, it treats the instructions as legitimate and proceeds to delete real files without asking for user confirmation.
The result is a browser-agent-driven wiper that, once OAuth access to Gmail and Drive is granted, can propagate malicious instructions quickly across shared folders and team drives. Unlike some exploits, this attack doesn’t rely on jailbreaks or prompt injections. It succeeds by using polite, ordered language—phrases such as “take care of,” “handle this,” and “do this on my behalf”—that subtly shifts ownership to the agent and nudges the model into action.
This scenario highlights how the sequencing and tone of prompts can coax an LLM into following harmful instructions, even when each step might not be inherently safe. To mitigate the risk, protections should extend beyond the model itself to the agent, its connectors, and the natural-language instructions it processes.
As Rousseau explains, agentic browser assistants turn ordinary prompts into a cascade of powerful actions across Gmail and Google Drive. When these actions originate from untrusted content—especially polite, well-structured emails—the risk transforms into a new class of zero-click data-wiper threats.
Separately, researchers at Cato Networks disclosed HashJack, a technique that hides rogue prompts after the hash symbol in legitimate URLs (for example, www.example.com/home#
Following disclosure, Google labeled HashJack as “won’t fix (intended behavior)” with low severity, while Perplexity and Microsoft released patches for their AI browsers (Comet v142.0.7444.60 and Edge 142.0.3595.94). Claude for Chrome and OpenAI Atlas have shown immunity to HashJack. It’s also worth noting that Google’s AI Vulnerability Reward Program does not classify policy-violating content generation or guardrail bypasses as security vulnerabilities.
If this topic intrigues you, follow updates on Google News, X (Twitter), and LinkedIn for more exclusive coverage.
