We simply don’t know to defend against these attacks. We have zero agentic AI systems that are secure against these attacks. Any AI that is working in an adversarial environment—and …| Simon Willison’s Weblog
Learn the critical difference between prompt injection and jailbreaking attacks, with real CVEs, production defenses, and test configurations.| Promptfoo Blog
Piloting Claude for Chrome Two days ago I said:I strongly expect that the entire concept of an agentic browser extension is fatally flawed and cannot be built safely. Today Anthropic announced their own take on this pattern, implemented as an invite-only preview Chrome extension. To their credit, the majority of the blog post and accompanying support article is information about the security risks. From their post: Just as people encounter phishing attempts in their inboxes, browser-using AIs...| Simon Willison's Weblog
Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet The security team from Brave took a look at Comet, the LLM-powered "agentic browser" extension from Perplexity, and unsurprisingly found security holes you can drive a truck through.The vulnerability we’re discussing in this post lies in how Comet processes webpage content: when users ask it to “Summarize this webpage,” Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s...| Simon Willison's Weblog
I gave a talk on Wednesday at the Bay Area AI Security Meetup about prompt injection, the lethal trifecta and the challenges of securing systems that use MCP. It wasn’t …| Simon Willison’s Weblog