Guardio researchers tested a browser with an AI agent and concluded that it is vulnerable to both old and new attack techniques that can coerce it into interacting with malicious pages and prompts.
AI agents in browsers are capable of autonomously surfing the web, making purchases, and managing various online tasks (for example, processing email, booking tickets, filling out forms, and so on).
At present, the primary example of a browser with a built-in AI agent is Comet, developed by Perplexity, and it is the focus of Guardioâs research. However, itâs worth noting that Microsoft Edge also includes agentic AI features (via integration with Copilot), and OpenAI is currently developing its own platform for these tasks under the codename Aura.
Although for now these tools are mostly geared toward enthusiasts, Comet is quickly entering the mass consumer market. And researchers from Guardio warn that such solutions are not adequately protected against known and novel attacks crafted specifically to target them.
As tests have shown, browsers with AI agents can be vulnerable to phishing and prompt injections, and may even make purchases in fake online stores.
For example, in one of the tests the analysts asked Comet to buy an Apple Watch on a fake Walmart website that the researchers themselves created using the Lovable service. Although in the experiment Comet was directed straight to the bogus store, itâs noted that in real life an AI agent could end up in the same situation due to malicious ads, black-hat SEO, and other factors.
As a result, the AI scanned the fake site and then, without verifying its legitimacy, proceeded to checkout and automatically entered the bank card details and address, completing the purchase without asking the user for confirmation.
In the second test, the researchers created a fake email purportedly from Wells Fargo, embedded a link to a real phishing page, and sent it from a ProtonMail address. Comet treated the incoming message as a legitimate email from the bank, followed the phishing link, loaded the fake Wells Fargo login page, and prompted the user to enter their credentials on it.
In the third test, aimed at evaluating resistance to prompt injections, the researchers created a fake CAPTCHA page and used the classic ClickFix attack, but supplemented it with hidden instructions for the AI agent embedded in the pageâs code. As a result, Comet interpreted these hidden instructions as legitimate commands and clicked the CAPTCHA button, thereby triggering the download of a malicious file.
Guardio emphasizes that these tests are just the tip of the iceberg of problems caused by the emergence of agentic AI browsers. Moreover, in the future such threats could supplant conventional human-targeted attack models.
âIn the era of AI vs. AI, scammers donât need to deceive millions of different people; itâs enough to break a single AI model,â the experts write. âOnce they do, that exploit can be scaled indefinitely. Since attackers have access to the same models, they can âtrainâ their malicious AI against the victimâs AI until the scam works flawlessly.â
Experts conclude that, for now, agentic AI in browsers is still too immature, and itâs not recommended to entrust it with important tasks such as banking, shopping, or accessing email accounts. Users are also advised to avoid giving AI agents credentials, financial details, and personal information â itâs safer to enter this data manually.
2025.04.23 â Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article â
2025.02.07 â 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article â
2025.02.06 â Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article â
2025.04.29 â FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article â
2025.01.29 â Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article â
2025.01.27 â Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article â
2025.02.20 â Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article â
2025.04.15 â Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article â
2025.01.27 â YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article â
2025.02.18 â Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article â