{"id":24898,"date":"2025-11-13T12:53:04","date_gmt":"2025-11-13T17:53:04","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=24898"},"modified":"2025-11-13T21:56:35","modified_gmt":"2025-11-13T17:56:35","slug":"ai-sidebar-spoofing-atlas-comet","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ai-sidebar-spoofing-atlas-comet\/24898\/","title":{"rendered":"AI sidebar spoofing: a new attack on AI browsers"},"content":{"rendered":"

Cybersecurity researchers have revealed a new attack method targeting AI browsers, which they refer to as AI sidebar spoofing<\/a>. This attack exploits users\u2019 growing habit of blindly trusting instructions they get from artificial intelligence. The researchers successfully implemented AI sidebar spoofing against two popular AI browsers: Comet by Perplexity and Atlas by OpenAI.<\/p>\n

Initially, the researchers used Comet for their experiments, but later confirmed that the attack was viable in the Atlas browser as well. This post uses Comet as an example when explaining the mechanics of AI sidebar spoofing, but we urge the reader to remember that everything stated below also applies to Atlas.\n<\/p>\n

How do AI browsers work?<\/h2>\n

\nTo begin, let\u2019s wrap our heads around AI browsers. The idea of artificial intelligence replacing, or at least transforming<\/a> the familiar process of searching the internet began to generate buzz between 2023 and 2024. The same period saw the first-ever attempts to integrate AI into online searches.<\/p>\n

Initially, these were supplementary features within conventional browsers \u2014 such as Microsoft Edge Copilot<\/a> and Brave Leo<\/a> \u2014 implemented as AI sidebars. They added built-in assistants to the browser interface for summarizing pages, answering questions, and navigating sites. By 2025, the evolution of this concept ushered in Comet<\/a> from Perplexity AI \u2014 the first browser designed for user-AI interaction from the ground up.<\/p>\n

This made artificial intelligence the centerpiece of Comet\u2019s user interface, rather than just an add-on. It unified search, analysis, and work automation into a seamless experience. Shortly thereafter, in October 2025, OpenAI introduced its own AI browser, Atlas<\/a>, which was built around the same concept.<\/p>\n

Comet\u2019s primary interface element is the input bar in the center of the screen, through which the user interacts with the AI. It\u2019s the same with Atlas.<\/p>\n

\"The<\/a>

The home screens of Comet and Atlas demonstrate a similar concept: a minimalist interface with a central input bar and built-in AI that becomes the primary method of interacting with the web<\/p><\/div>\n

Besides, AI browsers allow users to engage with the artificial intelligence right on the web page. They do this through a built-in sidebar that analyzes content and handles queries \u2014 all without having the user leave the page. The user can ask the AI to summarize an article, explain a term, compare data, or generate a command while remaining on the current page.<\/p>\n

\"Interacting<\/a>

The sidebars in both Comet and Atlas allow users to query the AI without navigating to separate tabs \u2014 you can analyze the current site, and ask questions and receive answers within the context of the page you\u2019re on<\/p><\/div>\n

This level of integration conditions users to take the answers and instructions provided by the built-in AI for granted. When an assistant is seamlessly built into the user interface and feels like a natural part of the system, most people rarely stop to double-check the actions it suggests.<\/p>\n

This trust is precisely what the attack demonstrated by the researchers exploits. A fake AI sidebar can issue false instructions \u2014 directing the user to execute malicious commands or visit phishing websites.\n<\/p>\n

How did the researchers manage to execute the AI sidebar spoofing attack?<\/h2>\n

\nThe attack starts with the user installing a malicious extension. To do its evil deeds, it needs permissions to view and modify data on all visited sites, as well as access to the client-side data storage API.<\/p>\n

All of these are quite standard permissions; without the first one \u2014 no browser extension will work at all. Therefore, the chances that the user will get suspicious when a new extension requests these permissions are almost zero. You can read more about browser extensions and the permissions they request in our post Browser extensions: more dangerous than you think<\/strong><\/a>.<\/p>\n

\"Comet's<\/a>

A list of installed extensions in the Comet user interface. The disguised malicious extension, AI Marketing Tool, is visible among them. Source<\/a><\/p><\/div>\n

Once installed, the extension injects JavaScript into the web page and creates a counterfeit sidebar that looks strikingly similar to the real thing. This shouldn\u2019t raise any red flags with the user: when the extension receives a query, it talks to the legitimate LLM and faithfully displays its response. The researchers used Google Gemini in their experiments, though OpenAI\u2019s ChatGPT likely would have worked just as well.<\/p>\n

\"AI<\/a>

The screenshot shows an example of a fake sidebar that\u2019s visually very similar to the original Comet Assistant. Source<\/a><\/p><\/div>\n

The fake sidebar can selectively manipulate responses to specific topics or key queries set in advance by the potential attacker. This means that in most cases, the extension will simply display legitimate AI responses, but in certain situations<\/em> it will display malicious instructions, links, or commands instead.<\/p>\n

How realistic is the scenario where an unsuspecting user installs a malicious extension capable of the actions described above? Experience shows it is highly probable. On our blog, we\u2019ve repeatedly reported on dozens of malicious and suspicious extensions that successfully make it into the official Chrome Web Store. This continues to occur despite all the security checks conducted by the store and the vast resources at Google\u2019s disposal. Read more about how malicious extensions end up in official stores in our post 57 shady Chrome extensions clock up six million installs<\/strong><\/a>.\n<\/p>\n

Consequences of AI sidebar spoofing<\/h2>\n

\nNow let\u2019s discuss what attackers can use a fake sidebar for. As noted by the researchers, the AI sidebar spoofing attack offers potential malicious actors ample opportunities to cause harm. To demonstrate this, the researchers described three possible attack scenarios and their consequences: crypto-wallet phishing, Google account theft, and device takeover. Let\u2019s examine each of them in detail.\n<\/p>\n

Using a fake AI sidebar to steal Binance credentials<\/h3>\n

\nIn the first scenario, the user asks the AI in the sidebar how to sell their cryptocurrency on the Binance crypto exchange. The AI assistant provides a detailed answer that includes a link to the crypto exchange. But this link doesn\u2019t lead to the real Binance site \u2014 it takes you to a remarkably convincing fake. The link points to the attacker\u2019s phishing site, which uses the fake domain name binacee<\/strong>.<\/p>\n

\"Phishing<\/a>

The fake login form on the domain login{.}binacee{.}com is nearly indistinguishable from the original, and is designed to steal user credentials. Source<\/a><\/p><\/div>\n

Next, the unsuspecting user enters their Binance credentials and the code for two-factor authentication, if needed. After this, the attackers gain full access to the victim\u2019s account and can siphon off all funds from their crypto wallets.\n<\/p>\n

Using a fake AI sidebar to take over a Google account<\/h3>\n

\nThe next attack variation also begins with a phishing link \u2014 in this case, to a fake file-sharing service. If the user clicks the link, they\u2019re taken to a website where the landing page prompts them to sign in with their Google account right away.<\/p>\n

After the user clicks this option, they\u2019re redirected to the legitimate<\/em> Google login page to enter their credentials there, but then the fake platform requests full access to the user\u2019s Google Drive and Gmail.<\/p>\n

\"Google<\/a>

The fake application share-sync-pro{.}vercel{.}app requests full access to the user\u2019s Gmail and Google Drive. This gives the attackers control over the account. Source<\/a><\/p><\/div>\n

If the user fails to scrutinize the page, and automatically clicks Allow, they grant attackers permissions for highly dangerous actions:\n<\/p>\n