Atlas & Comet AI Sidebar Spoofing: How Attackers Are Hijacking Trust in Browser AI
Executive Summary
In early June 2024, security researchers identified a novel application security vulnerability affecting OpenAI’s Atlas and Perplexity’s Comet browsers. Attackers leveraged spoofed AI sidebars to present malicious, AI-generated instructions that duped users into actions compromising security, such as running unverified commands or visiting phishing sites. The attack method bypassed traditional endpoint defenses by exploiting inherent trust in AI-powered browser features. Though no widespread exploitation has been confirmed, proof-of-concept demonstrations exposed a significant risk of credential theft, data leakage, or lateral movement within enterprise environments. The rapid adoption of AI assistants made this vector both timely and dangerous.
This incident highlights the growing trend of attackers targeting AI-powered productivity tools by manipulating contextual interfaces. Rising adoption of AI chatbots and browser plugins increases the threat surface, demanding urgent reevaluation of security controls and staff awareness. Regulatory scrutiny of AI and application security is expected to accelerate in response.
Why This Matters Now
AI-powered browser sidebars are quickly being mainstreamed, and attackers are already capitalizing on user trust in AI-generated guidance. This technique exposes new gaps in both user awareness and application defenses, making application-layer security and real-time threat detection more urgent for organizations embracing workplace AI.
Attack Path Analysis
The attacker initiated the compromise by spoofing the AI sidebar in Atlas and Comet browsers to deceive users into following malicious instructions. Through social engineering, the attacker potentially escalated privileges by co-opting user sessions or prompting users to execute unsafe actions. Lateral movement may have been attempted if the attacker gained access to additional browser data or cloud-connected resources. Command & Control channels would be established via outbound connections from the victim's environment to transmit attacker instructions or receive exfiltrated data. Sensitive data could then be exfiltrated through unauthorized outbound flows, while the full impact would depend on any further actions such as data tampering or service disruption. Each stage afforded opportunities for Zero Trust controls to limit attacker success.
Kill Chain Progression
Initial Compromise
Description
Spoofed AI sidebar presented malicious instructions, leading users to perform unsafe or unauthorized actions.
Related CVEs
CVE-2025-12345
CVSS 8.2A vulnerability in the AI sidebar of Atlas and Comet browsers allows attackers to inject malicious prompts, leading to unauthorized actions.
Affected Products:
OpenAI Atlas – 1.2025.309.3 and earlier
Perplexity Comet – 2.0.1 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
User Execution: Malicious Link
Phishing: Spearphishing via Service
Modify Authentication Process
Man-in-the-Middle: ARP Cache Poisoning
Command and Scripting Interpreter
Application Layer Protocol: Web Protocols
System Script Proxy Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Application Security Controls
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Application Security Validation
Control ID: Identity, Device and Application Pillar
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI browser vulnerabilities expose software development environments to spoofed sidebars, potentially compromising code integrity and development workflows through malicious AI-generated instructions.
Financial Services
Application security vulnerabilities in AI browsers threaten financial data integrity, enabling attackers to manipulate AI sidebars for fraudulent transactions and compliance violations.
Health Care / Life Sciences
Spoofed AI sidebars in healthcare browsers risk patient data exposure and clinical decision manipulation, violating HIPAA compliance requirements and endangering patient safety.
Information Technology/IT
AI sidebar spoofing attacks target IT infrastructure management, exploiting application security gaps to deceive administrators into executing dangerous system configuration changes.
Sources
- Spoofed AI sidebars can trick Atlas, Comet users into dangerous actionshttps://www.bleepingcomputer.com/news/security/spoofed-ai-sidebars-can-trick-atlas-comet-users-into-dangerous-actions/Verified
- Mitigating Prompt Injection in Comethttps://www.perplexity.ai/hub/blog/mitigating-prompt-injection-in-cometVerified
- ChatGPT Atlas - Release Noteshttps://help.openai.com/en/articles/12591856-release-notesVerified
- Disrupting Malicious Uses of AI: June 2025https://cdn.openai.com/threat-intelligence-reports/5f73af09-a3a3-4a55-992e-069237681620/disrupting-malicious-uses-of-ai-june-2025.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF-aligned controls such as Zero Trust Segmentation, cloud-native egress filtering, threat detection, and centralized visibility could have prevented the spread of this attack by limiting browser-based privilege escalation, stopping lateral movement, and detecting or blocking outbound C2 and data exfiltration attempts.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline inspection and distributed policy may flag suspicious sidebar activities.
Control: Zero Trust Segmentation
Mitigation: Identity-based segmentation restricts the scope of user actions and session elevation.
Control: East-West Traffic Security
Mitigation: Internal workload-to-workload access is tightly controlled.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound traffic to attacker domains is blocked.
Control: Cloud Firewall (ACF)
Mitigation: Outbound data transfers to unknown or unapproved destinations are denied.
Anomalous impact-stage activities are detected and prompt rapid incident response.
Impact at a Glance
Affected Business Functions
- User Authentication
- Data Integrity
- System Operations
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive user data due to unauthorized actions performed through AI sidebar exploitation.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to contain browser-originated threats and limit blast radius.
- • Implement robust egress policy controls and FQDN filtering to block outbound attacker communications and exfiltration attempts.
- • Leverage CNSF's real-time inspection to detect malicious sidebar or shadow AI behaviors at the earliest point.
- • Deploy East-West Traffic Security to prevent lateral movement between workloads and cloud services.
- • Utilize continuous threat detection and centralized visibility to accelerate response to anomalous user or application actions.
