Chrome warns developers of AI agent hijacking via WebMCP tools

Image credit: Search Engine Journal

Google Chrome has issued new guidance for web and AI agent developers, warning that WebMCP tools can be exploited to manipulate and hijack AI agents through prompt injection.

The vulnerabilities, which allow malicious actors to gain control of AI agents, are not exclusive to WebMCP but stem from fundamental flaws inherent in Large Language Models (LLMs) and Chrome extensions, according to the guidance.

AI agents face two primary attack vectors: malicious manifests and contaminated outputs. Malicious manifests involve hidden prompt injections embedded within tool descriptions, while contaminated outputs deliver malicious instructions through returned information, even from seemingly trusted tools.

Google Chrome reported that LLMs struggle to reliably prevent prompt injection because their probabilistic nature processes instructions and user data as a single sequence of tokens, making it difficult to differentiate benign from malicious inputs.

To mitigate these risks, Chrome recommends a layered security approach. This strategy combines deterministic controls, such as token limits and user confirmation prompts, with probabilistic safeguards like prompt injection classifiers and critic models, according to the guidance.

Developers of WebMCP tools are advised to implement specific annotation hints. These include ‘untrustedContentHint’ and ‘readOnlyHint’ to signal potentially unsafe content or restricted access, and an ‘exposedTo’ setting to specify trusted origins for tool exposure.

The guidance acknowledges that prompt injection remains a significant and fundamental challenge for ensuring the security of AI agents, underscoring the ongoing need for defensive measures.

Source: Search Engine Journal