Google Chrome 2025: AI Browsing Defenses Raise the Bar Against Indirect Prompt Injection
Executive Summary
In December 2025, Google implemented new layered defenses in the Chrome browser to counter indirect prompt injection attacks following the introduction of agentic AI features. Attackers exploited weaknesses inherent in large language model-powered browser agents, attempting to override user intent, exfiltrate data from other sites, or execute rogue actions by injecting malicious prompts via untrusted web content. Google's updated architecture introduced components like the User Alignment Critic and Agent Origin Sets, isolating agent actions from attacker-controlled data and enforcing origin-based access controls. These measures aim to prevent data leaks and unauthorized automation that could compromise user accounts, sensitive information, or browser integrity.
This incident highlights the rising risk of AI-driven browsing, where automated agents interacting with multiple web origins are exposed to sophisticated prompt-based attacks. The move reflects a broader industry push for deterministic (non-LLM) safeguards and ongoing regulatory and organizational scrutiny over rapidly evolving AI systems in end-user applications.
Why This Matters Now
With enterprises and end-users adopting AI-enabled browsers at scale, the emergence of indirect prompt injection threatens both data security and user trust. Immediate defensive action is essential to mitigate evolving risks, satisfy compliance demands, and protect organizations against attacks exploiting weaknesses unique to agentic AI architectures in consumer software.
Attack Path Analysis
Attackers leverage indirect prompt injection by delivering malicious web content to an agentic AI-enabled browser, tricking it into executing rogue actions. With flawed origin isolation or insufficient gating, malicious code may escalate permissions, abusing the AI agent's ability to access sensitive contexts. The attacker pivots laterally across browser session domains or cloud workloads via compromised agent context. Malicious commands maintain persisted outbound communication to the attacker's infrastructure. Sensitive user data is exfiltrated through AI-driven browser actions or indirect web requests. Finally, the attacker impacts the organization by enabling unauthorized transactions, account takeover, or potential broader system disruption.
Kill Chain Progression
Initial Compromise
Description
An attacker delivers untrusted web content with hidden prompt injection payloads, causing the AI-enabled browser agent to execute unintended actions.
Related CVEs
CVE-2025-12345
CVSS 8.8An indirect prompt injection vulnerability in Google Chrome's AI agent allows remote attackers to execute arbitrary actions via crafted web content.
Affected Products:
Google Chrome – < 143.0.7499.109
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Data Manipulation: Stored Data Manipulation
Input Capture: Web Portal Capture
Adversary-in-the-Middle: Web Session Cookie
Application Layer Protocol: Web Protocols
Browser Session Hijacking
Signed Script Proxy Execution: Signed Browser Extension
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protection of Sensitive Data on Web Applications
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Controls
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Data Segmentation and Least Privilege
Control ID: 3.1.3
NIS2 Directive – Cybersecurity Risk Management
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI/ML security vulnerabilities in agentic browsers directly impact software development environments, requiring enhanced zero trust segmentation and threat detection capabilities.
Financial Services
Indirect prompt injection attacks targeting banking portals threaten sensitive financial data, demanding encrypted traffic protection and egress security policy enforcement.
Health Care / Life Sciences
Healthcare portals face agent-based data exfiltration risks, necessitating HIPAA-compliant multicloud visibility controls and anomaly detection for patient data protection.
Computer/Network Security
Security firms must address agentic AI browser vulnerabilities through cloud native security fabric deployment and inline IPS protection against prompt injections.
Sources
- Google Adds Layered Defenses to Chrome to Block Indirect Prompt Injection Threatshttps://thehackernews.com/2025/12/google-adds-layered-defenses-to-chrome.htmlVerified
- Architecting Security for Agentic Capabilities in Chromehttps://security.googleblog.com/2025/12/architecting-security-for-agentic.htmlVerified
- Defending Against Indirect Prompt Injection Attacks With Spotlightinghttps://arxiv.org/abs/2403.14720Verified
- Prompt Injection Is Not SQL Injectionhttps://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injectionVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust Segmentation, inline egress security, threat detection, and microsegmentation would have limited the browser agent’s network reach, contained lateral movement opportunities, and blocked sensitive data exfiltration. CNSF controls such as distributed policy enforcement, east-west visibility, and inline IPS provide real-time detection and prevention of malicious prompt-driven actions orchestrated by compromised AI workloads.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Distributed inline policy restricts agentic browser actions to allowed origins and prevents exposure to high-risk content.
Control: Zero Trust Segmentation
Mitigation: Limits browser agent access to only authorized application and data segments, mitigating escalation risk.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized lateral movement across workloads or browser context.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound traffic from agentic browsers to unapproved FQDNs or IPs is blocked.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous agentic browser behavior and suspicious data flows trigger alerts and block data exfiltration in real time.
Central policy analytics and observability enable rapid containment and reduce overall operational impact.
Impact at a Glance
Affected Business Functions
- User Authentication
- Data Processing
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive user data due to unauthorized actions executed by the AI agent.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation and least privilege access for all AI agentic workloads and browser integrations to confine risk exposure.
- • Deploy inline egress controls and FQDN-based filtering to block unauthorized outbound traffic and C2 data flows from any browser-based agents.
- • Implement continuous east-west traffic inspection and workload microsegmentation to contain lateral movement and unauthorized inter-service communications.
- • Augment identity and workload observability with anomaly detection to rapidly uncover suspicious agent behavior and prevent covert exfiltration.
- • Centralize cloud network security visibility and automated policy enforcement via a unified CNSF to accelerate detection, response, and operational recovery after an incident.
