Feedback & Followups
- Yet another real-world example of the dangers of poor secret hygiene: Over 10,000 Docker Hub images found leaking credentials, auth keys β www.bleepingcomputer.com/β¦
- π¬π§ UK fines LastPass Β£1.2M over 2022 data breach impacting 1.6 million users β cyberinsider.com/β¦
Deep Dive β Google’s New Agentic AI Browser Security Framework
There have been a lot of conversations around Agentic AI browsers on the NosillaCast recently, and the one thing they’ve all had in common is a resounding warning to be very cautious at the moment because we’re still in the wild west-like early days, where there are a lot of very dangerous bugs. One of the things I have been saying is that we need a fundamental change in the architecture to avoid the fundamental problem of having the prompt and the content of the web pages being interacted with going into the same LLM, making prompt injection almost inevitable.
Google have just released details of their planned architecture to start addressing those problems in Chrome. Their approach is interesting and promising, so that this is not the end of the wild-west day, nor even the beginning of the end, it just might be the end of the beginning (as Churchill might have put it).
Google’s architecture has the following key components:
- The so-called User Alignment Critic β a completely separate LLM that is never fed any content from the web, so it can’t be prompt-injected. It watches over the agent’s activities to ensure they remain aligned with the user’s best interests. This is AI watching AI, so it can’t ever be perfect, but having an isolated AI that can’t be prompt-injected is a very promising idea.
- So-called origin sets β this is basically the AI-version of the existing content origin model used to restrict JavaScript code from reaching outside of the website the user explicitly visited. This stops a rogue agent from accessing random sites as the user.
- Google will show the user exactly what the agent is doing through what amounts to a real-time activity log, and dangerous actions will require explicit confirmation to proceed.
- A third AI will check the content the agent is about to ingest as context for known kinds of prompt injection. Again, can’t ever be perfect, but like an anti-virus, it should weed out everything but the most novel and innovative techniques.
Google are also putting their money where their mouth is by adding new categories to their bug bounty program to cover these new security controls.
Links
- A nice summary: https://www.bleepingcomputer.com/news/security/google-chrome-adds-new-security-layer-for-gemini-ai-agentic-browsing/
- A good detailed explanation: https://cyberinsider.com/google-launches-new-security-architecture-for-ai-agents-in-chrome/
Discussion β AI Agents in Meetings
Allison suggested a free-form discussion based on this communiquΓ© received by a Nosillacastaway: Important Security Notice: Required Deactivation of Read AI β it.uw.edu/β¦ (UW is the University of Washington in the US).
Related insight from Bart: Maynooth University similarly do not allow third-party AI tools integrate into meetings, but they do allow the corporate version of Microsoft Copilot. Why? Because Microsoft offer guaranteed data boundaries and certify compliance with relevant legislation like GDPR. Organisations using the corporate version of Copilot can be sure their data does not leave their Office365 tenancy when it’s processed by Microsoft’s various Copilots.
β Action Alerts
- Microsoft Patch Tuesday, December 2025 Edition β krebsonsecurity.com/β¦ (56 patches, including one for a Zero-day)
- Apple’s ο£ΏOS 26.2 updates are more than just bug fixes and new features, but there are some zero days in there.
- https://support.apple.com/en-us/125884
- Google fixes eighth Chrome zero-day exploited in attacks in 2025 β www.bleepingcomputer.com/β¦
- β οΈ PC Users: Major motherboard brands vulnerable to PCIe attacks by rogue peripherals β cyberinsider.com/β¦
- The affected brands are ASRock, ASUS, GIGABYTE & MSI
- Physical access is required to abuse this flaw, so that limits many people’s exposure
- Firmware updates have been released by all four vendors
Worthy Warnings
- A great illustration of why there is no such thing as a back door just for the goodies: Hackers posed as law enforcement to gain private Apple Account data β appleinsider.com/β¦
- A great illustration of why data validation is important: Beware: PayPal subscriptions abused to send fake purchase emails β www.bleepingcomputer.com/β¦
- It should not be possible for attackers to add anything but a URL into the Customer Service URL field!
- Pay attention to the labels on things β if data appears next to an inappropriate label, consider that a red flag!
- GhostPairing attack hijacks WhatsApp accounts without stealing passwords β cyberinsider.com/β¦
- Tricks users into scanning the QR Code to authorise a device link, logging the attackers in as the user!
- Beware of scanning QR codes in unexpected places β always remember a QR code is a URL in a pretty costume, look up and check the address bar when you arrive at a destination, and always read all warning messages carefully!
- Suggested Reading (nothing you can do to protect yourself ATM π): Tool allows stealthy tracking of Signal and WhatsApp users through delivery receipts β cyberinsider.com/β¦
Notable News
- Firefox 146 introduces encrypted local backups for Windows users β cyberinsider.com/β¦
- Related Suggested Reading: Mozillaβs next chapter: Building the worldβs most trusted software company β blog.mozilla.org/β¦ (Message from new CEO)
- Telegram adds passkey support for secure frictionless logins β cyberinsider.com/β¦ (Mine us set up π)
Interesting Insights
- Suggested reading: MITRE shares 2025’s top 25 most dangerous software weaknesses β www.bleepingcomputer.com/β¦
- Disturbingly little changes year-to-year or even decade-to-decade, developers are still making the same trivial dumb mistakes π
Palate Cleansers
- From Bart: Positive trends related to public IP ranges from the year 2025 β isc.sans.edu/β¦
- From Allison: Joop (aka @oetgrunnen in our Podfeet Slack ) posted a video from Functional Excel explaining how to make an animated Christmas tree: podfeet.slack.com/…
- If you don’t want to join our Slack, just search online for “animated Christmas tree in Excel” and you’ll find lots of examples. I made one and invented my own Menorah! Happy Holidays, folks!
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| π§ | A link to audio content, probably a podcast. |
| β | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| π | A link to graphical content, probably a chart, graph, or diagram. |
| π§― | A story that has been over-hyped in the media, or, “no need to light your hair on fire” π |
| π΅ | A link to an article behind a paywall. |
| π | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| π© | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| π¦ | A link to video content. |