Google plans to add a second Gemini-based model to Chrome to address the security problems created by adding the first Gemini model to Chrome.
In September, Google added a Gemini-powered chat window to its browser and promised the software would soon gain agentic capabilities that allow it to interact with browser controls and other tools in response to a prompt.
Allowing error-prone AI models to browse the web without human intervention is dangerous, because the software can ingest content – perhaps from a maliciously crafted web page – that instructs it to ignore safety guardrails. This is known as “indirect prompt injection.”
Google knows about the risks posed by indirect prompt injection, and in a Monday blog post Chrome security engineer Nathan Parker rated it as “the primary new threat facing all agentic browsers.”
“It can appear in malicious sites, third-party content in iframes, or from user-generated content like user reviews, and can cause the agent to take unwanted actions such as initiating financial transactions or exfiltrating sensitive data,” Parker wrote.
The seriousness of the threat recently led IT consultancy Gartner to recommend that companies block all AI browsers.
The Chocolate Factory, having invested billions in AI infrastructure and services, would prefer that people embrace AI rather than shun it. So the ad biz is adding a second model to keep its Gemini-based agent in line.
Parker refers to the oversight mechanism “a User Alignment Critic.”
“The User Alignment Critic runs after the planning is complete to double-check each proposed action,” he explains. “Its primary focus is task alignment: determining whether the proposed action serves the user’s stated goal. If the action is misaligned, the Alignment Critic will veto it.”
According to Parker, Google designed the Critic so attackers cannot poison it by exposing the model to malicious content.
Enlisting one machine learning model to moderate another has become an accepted pattern among AI firms. Suggested by developer Simon Willison in 2023, it was formalized in a Google DeepMind paper published this year. The technique is called “CaMeL,” which stands for “CApabilities for MachinE Learning.”
Parker adds that Google is also bringing Chrome’s origin-isolation abilities to agent-driven site interactions.
The web’s security model is based on the same-origin policy – sites should not have access to data that comes from different origins (e.g. domains). And Chrome tries to enforce Site Isolation, which puts cross-site data in different processes, away from the web page process, unless allowed by CORS.
Google extended this design to agents using tech called Agent Origin Sets that aims to prevent Chrome-based AI from interacting with data from arbitrary origins. The Register understands that Chrome devs have incorporated some of this work, specifically the origin isolation extension, into current builds of the browser, and that other agentic features will appear in future releases.
Additionally, Google aims to make Chrome’s agentic interactions more transparent, so user directives to tackle some complicated task don’t end in tears when things go awry. The model/agent will seek user confirmation before navigating to sites that deal with sensitive data (e.g. banks, medical sites). Also, the robo-browser will also seek confirmation before letting Chrome sign-in to a site using the Google Password Manager. And for sensitive web actions like online purchases, sending messages, or other unspecified consequential actions, the agent will either ask for permission or just tell the user to complete the final step.
To ensure that security researchers put Chrome’s agentic safeguards to the test, Parker says Google has revised its Vulnerability Rewards Program (aka bug bounties) to offer payouts for folks who find flaws.
“We want to hear about any serious vulnerabilities in this system and will pay up to $20,000 for those that demonstrate breaches in the security boundaries,” said Parker. ®