Comment by lbeurerkellner
2 months ago
Interesting report. Though, I think many of the attack demos cheat a bit, by putting injections more or less directly in the prompt (here via a website at least).
I know it is only one more step, but from a privilege perspective, having the user essentially tell the agent to do what the attackers are saying, is less realistic then let’s say a real drive-by attack, where the user has asked for something completely different.
Still, good finding/article of course.
> Though, I think many of the attack demos cheat a bit, by putting injections more or less directly in the prompt (here via a website at least)
What difference does that make? The prompt is to read a website and the injection is on that website hidden in html. People aren't going to read the HTML of every website before they scrape it, so this is not an unrealistic vulnerability.
Even worse, it ran arbitrary commands to get around its own restrictions. This just confirms if Antigravity tries to scrape a website with user generated content for any reason, whether the user provides the link or not, you have left your entire machine vulnerable.