A study looking into agentic AI browsers has found that these emerging tools are vulnerable to both new and old schemes that could make them interact with malicious pages and prompts.
Agentic AI browsers can autonomously browse, shop, and manage various online tasks (like handling email, booking tickets, filing forms, or controlling accounts).
Perplexity’s Comet is currently the primary example of agentic AI browsers. Microsoft Edge is also embedding agentic browsing features through a Copilot integration, and OpenAI is currently developing its own platformcodenamed ‘Aura’.
Although these tools are currently aimed attech enthusiasts and early adopters, Comet is quickly penetrating the mainstream consumer market.
According to an examination focused primarily on Comet, these tools were released with inadequate security safeguards against known and novel attacks specifically crafted to target them.
Tests from Guardio, a developer of browser extensions that protect against online threats (identity theft, phishing, malware),revealed that agentic AI browsers are vulnerable to phishing, prompt injection, and purchasing from fake shops.
In one test, Guardio asked Comet to buy an Apple watch while on a fake Walmart site the researchers created using the Lovable service.
Although in the experiment Comet was directed to the fake shop, in a real-life scenario an AI agent can end up in the same situation through SEO poisoning and malvertising.
The model scanned the site without confirming its legitimacy, navigated to checkout, and autofilled the data for the credit card and address, completing the purchase without asking for human confirmation.
Guardio says.
“Once they succeed, the same exploit can be scaled endlessly. And because they have access to the same models, they can “train” their malicious AI against the victim’s AI until the scam works flawlessly.”
Until the security aspect of agentic AI browsers reaches a certain level of maturity, it would be advisable that sensitive tasks like banking, shopping, or accessing email accounts are not assigned to them.
Also, users should avoid giving AI agents credentials, financial details, or personal information, and instead input that data manually when needed, which can act as a final confirmation step.
