A new technique targeting Perplexity’s Comet browser can turn an ordinary-looking email into a command that erases the contents of a user’s Google Drive, according to findings from Straiker STAR Labs.
The zero-click exploit, dubbed ‘Zero Click Google Drive Wiper,’ leverages Comet’s ability to connect with services such as Gmail and Google Drive to automate everyday tasks. By granting the browser agent OAuth access, users allow it to read emails, browse files, and carry out organizational actions.
Typically, a prompt like “Please check my email and complete all my recent organization tasks” will lead the agent to scan the inbox and perform whatever actions needed. However, the broad autonomy is exactly what makes the system vulnerable.
“This behavior reflects excessive agency in LLM powered assistants where the LLM performs actions that go far beyond the user’s explicit request.,” the report noted.
According to researchers, an attacker can send a seemingly routine email packed with natural-language instructions directing the agent to reorganize Google Drive, delete certain files, and confirm the changes. Because the agent interprets the message as legitimate workload, it may execute the destructive steps, such as removing critical files to a trash bin, without prompting the user for approval.
Once OAuth access is in place, malicious instructions can ripple across shared folders and team drives.
Instead of leveraging jailbreak slang or obvious adversarial prompts, the attack works by using polite, sequentially phrased language (terms such as “take care of,” “handle this,” and “do this on my behalf”) that subtly transfer decision-making to the agent, encouraging it to carry out unsafe operations unquestioned.
“From analyzing the attack runs, we saw that agents are less likely to push back when tasks are framed as tidy, step by step productivity work. The sequencing and tone nudge the model toward compliance and away from questioning whether “delete all loose files” is actually safe,” the researchers explained, noting that tone and phrasing can influence not only how models answer, but also what actions they take in agentic, tools using contexts.
