Mozilla's pivot to AI first browsing raises fundamental questions about what a browser should be. Waterfox won't include them. The browser's job is to serve you, not think for you.
They have and they’ve explicitly said it’s not solved lmao
A 1% attack success rate—while a significant improvement—still represents meaningful risk. No browser agent is immune to prompt injection, and we share these findings to demonstrate progress, not to claim the problem is solved
I’ve used agents, they tell you everything they’re going to do. And they’re incredibly slow and stupid. I don’t think OPs original premise of it instantly and secretly stealing your bank account details is realistic.
I don’t think I said prompt injection didn’t exist, just that it didn’t need to be worried about by users in exactly the way that was described
and these browsers are specifically not that… these browsers are intended to do things like categorise tabs, complete forms, etc automatically without your interaction
of course they’ll ask before they do things they consider destructive, but what they consider destructive and what a malicious actor can use are very different things
some of that is certainly benign, but the point with prompt injection is that it can take benign things and make them plausibly malicious
They have and they’ve explicitly said it’s not solved lmao
Mitigating the risk of prompt injections in browser use \ Anthropic - https://www.anthropic.com/research/prompt-injection-defenses
I’ve used agents, they tell you everything they’re going to do. And they’re incredibly slow and stupid. I don’t think OPs original premise of it instantly and secretly stealing your bank account details is realistic.
I don’t think I said prompt injection didn’t exist, just that it didn’t need to be worried about by users in exactly the way that was described
and these browsers are specifically not that… these browsers are intended to do things like categorise tabs, complete forms, etc automatically without your interaction
of course they’ll ask before they do things they consider destructive, but what they consider destructive and what a malicious actor can use are very different things
some of that is certainly benign, but the point with prompt injection is that it can take benign things and make them plausibly malicious