Explainer
This project demonstrates how computer controlling AI agents (CCAs) can be manipulated through indirect prompt injections. We show how attackers can derail these systems to execute malicious commands, leak data, or spread misinformation through everyday digital content like websites, files, and emails.
Example attacks
To illustrate the risks posed by Computer Control Agents (CCAs), we have selected four key attack demonstrations from the original report. These examples showcase how attackers can derail CCA systems using indirect prompt injections, resulting in cyber security exploits.
For a more in-depth analysis and additional demonstrations, refer to the full report.
1. Advertisements
Malicious ads redirect agents to adversarial websites that execute system commands.
Impact: Remote code execution
2. Forum comment remote access
Poisoned technical advice in forums triggers reverse shell installation.
Impact: Full system compromise
3. Session cookie theft
Adversarial documentation instructs CCA to steal authentication cookies through developer tools.
Impact: Account takeover
4. Emailing network cut-off
Phishing emails with obfuscated commands completely disable network connectivity.
Impact: Denial of service