@freddy Ooh, I didn't know about this, thanks!

I'd guess the Apple Intelligence here would be
- to know how to navigate that well-known link, which uhh *probably* wouldn't have user-generated content? (And if keeping UGC out wasn't a good enough practice before, it may well be now!)
- to work on sites that don't support that well-known URL. I assume this is a lot of sites. The first site I tried did not support it.

If not, there'd be no need for "AI", after all. So I don't think that's enough.

With a bit less jargon: On some sites, Apple's agent might need to read pages full of user-generated text to find the "change password" link. The text could trick Apple's agent into letting an attacker hijack your account.

If Apple wasn't careful, the "confusion" could even spread to other sites.

@tychotithonus I'm not even sure that's enough. What if the prompt injection just tells the bot to change all users' passwords to [dGhpcyBpcyBhIGJhZCBwYXNzd29yZAo=]? How is a user supposed to understand that this is bad?

Besides that, I worry that going into too much detail and requiring confirmation at each step would be slower than just doing it manually or be so verbose that most users just repeatedly click "OK".