AI browsers are here, and so are attackers

A browser powered by agentic AI could take care of buying plane tickets, setting appointments—and open the door to threat actors.

New research from browser detection and response company SquareX shows how agents in the AI browser Comet can be used by attackers to access account information and email inboxes. Agents are given commands and allowed permissions that can result in malicious actors finding ways to get at your private information.

Expectation/reality. Audrey Adeline, a member of the SquareX Founder’s Office, told IT Brew that while AI browsers come with a lot of promise, the researchers’ discoveries should serve as a caution. Adeline isn’t saying not to use agentic AI in browsers, especially with internet service providers like Google Chrome and Microsoft Edge integrating the technology into their products, but she did sound a note of caution.

“Because it’s still a new technology, there are still a lot of architectural vulnerabilities that are not fixed yet,” Adeline said. “Among them are the fact that these AI agents are not security-aware. They’re trained to complete tasks to make people more productive, but it’s very easy for attackers to trick these AI agents to make them think that certain malicious tasks are required to complete whatever prompt the user is telling them to do.”

In a demo video Adeline shared with IT Brew, SquareX researchers showed how an agent could give attackers access to their accounts. In the scenario, the Comet agent is asked to research and compile data for a project. In doing so, it encounters a file-sharing app that asks for permissions to read and access the user’s Google account and email. The agent allows access because it is following other instructions; threat actors could use this tactic and others to infiltrate systems.

Taking care of business. Adeline said Comet has already come a long way in dealing with security in its browser. But those protections aren’t enough given the scope of potential attacks.

“There are so many ways to essentially exploit them, so it is still not comprehensive at all,” Adeline said. “The fact that we could find these four attacks within just a couple of weeks—the only real guardrail that you can provide is essentially to limit these agentic identities on what they can do.”

AI browser developers like Browserbase are aware of the security threat. The company is partnering with password manager 1Password on a secure authentication process for AI agents that will be incorporated into the Browserbase browser. For CEO Paul Klein, working with 1Password is making things easier when it comes to secure access, and keeping the human element in play helps.

“In the old world, people were giving agents a list of their passwords and saying, ‘Hey, this is the one to log in,’” Klein said. “But now, with this 1Password iteration into a browser agent, we have those best-in-class things where the password is never shared—they can list the sites that you can log into and request access to a certain site, but then the human is approving that.”

Forward facing. Ultimately, browsers using agentic AI will become more or less ubiquitous, Klein said, but as with cloud infrastructure, getting there will require trial and error.

“More and more, the infrastructure needs to catch up to AI, and that’s a lot of the work that we’re doing,” Klein said.

Part of that process is making sure things are locked down. 1Password SVP and Head of Engineering Nancy Wang told IT Brew that encryption is an important part of the security process for browsers because they are the new endpoints. She analogized the protections to holding a safety deposit box in a bank vault.

“Even if you get into the bank, you have the bank key—we’re not actually able to see the contents of your safety deposit box, because you need your own account key,” Wang said, adding, “That’s the same principle that we apply for when we give agents the right access to sensitive things.”