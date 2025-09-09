Soon after we tested Comet for its end-user capabilities, Guardio Labs emerged with a report showing that agentic AI browsers can be tricked into executing online scams.
The researchers demonstrated how they fooled autonomous browsing systems into completing fraudulent purchases and submitting sensitive credentials to phishing sites without alerting the user.
The investigation was led by security researchers Nati Tal and Shaked Chen, who subjected Perplexity’s Comet browser to multiple attack scenarios.
Unlike traditional browsers that rely on human judgment, the researchers note that AI browsers have built-in weaknesses, including too much trust and following instructions without the natural doubt humans have.
We explore the key AI browser security risks and what could be done to fix them.
Key Takeaways
- AI browsers like Comet can be tricked into completing scams, including fake purchases and phishing logins.
- Guardio Labs showed that these systems lack the natural skepticism humans use online.
- Prompt-injection attacks can hide malicious commands in webpages, giving attackers control over the browser.
- Current safety checks, like Google Safe Browsing, are not enough for AI-driven browsing.
- Researchers say AI browsers need built-in guardrails such as phishing filters, spoofing alerts, and anomaly detection.
Scamlexity Makes Traditional Scams Hit Harder
Guardio Labs research shows that agentic AI browsers fail against basic security tests that have existed for decades.
To prove this, the researchers embarked on an experiment that involved building a fake Walmart storefront using the Lovable platform and telling Comet to “buy an Apple Watch.”
As highlighted in the video experiment above, the AI browser went browsing on its own, scanning the web pages directly and locating the right buttons.
Despite clear signs that the site wasn’t actually Walmart, the browser still could not pick that out, perhaps because that wasn’t part of its assigned task. Anyways, the browser found the Apple Watch, added it to the cart, and without asking for confirmation, autofilled saved address and credit card details from the browser’s database to complete the purchase.
The researchers found that while Comet sometimes refused to complete purchases or asked for human help, these safety responses were inconsistent.
The researchers said:
“It’s important to note that we ran this test multiple times. Sometimes, Comet refused and sensed something phishy. In other cases, it paused and asked the human to complete checkout manually.”
Bad at Fishing Out Phishing
Although AI browser assistants have the autonomous capability to slide into your email, read what’s there, and even help you respond to them, they haven’t got the eye to differentiate between legitimate and phishing emails.
Guardio Lab experiment proved this by sending a fake email from a fresh ProtonMail address posing as a Wells Fargo investment manager. Contained in the email was a link to a genuine phishing page that was active and unflagged by Google Safe Browsing.
In this experiment, Comet interacted with the phishing email as if it were a legitimate banking email, added it to a to-do list, and clicked the link without any form of verification.
The browser treated the fake Wells Fargo login page as authentic, even prompting the user to enter credentials.
The researchers suggest that these failures are a result of a fundamental trust chain problem where AI systems lack the level of intuition for natural skepticism and protective judgment.
They explained:
“Human intuition to evade harm is excluded from the process, and AI becomes the single point of decision. Without strong AI guardrails, that decision is essentially a coin toss – and when your security is left to chance, it’s only a matter of time before it lands on the wrong side.”
Prompt Injection Creates New Threats
Beyond traditional prompt injection fraud scenarios, the researchers went further to test the AI browser for what they introduced as “PromptFix.”
This attack technique, they said, represents a new form of Clickfix scam. ”It’s our AI-era evolution of the ClickFix scam – a social engineering trick mimicking CAPTCHA pages that works so well on humans, now adapted to work on their AI Agents,” they noted.
To trick the AI browsing assistant into this, the research team uses invisible text boxes hidden on webpages through simple CSS styling. Humans can’t see them, but these boxes contain malicious commands that the AI agent processes as legitimate instructions.
Their demonstration created a fake medical results page containing what appeared to be a harmless CAPTCHA checkbox.
However, concealed behind the scenes was a set of attacker instructions inside an invisible text box, hidden through simple CSS styling. Humans couldn’t see it, but it flowed directly into the AI’s prompt as it processed the page.
The attack succeeded by exploiting the AI’s core design, which is to help users quickly and completely. According to research findings, the hidden prompt convinced the AI it was encountering a special “AI-friendly” CAPTCHA it could solve on behalf of its human user. Rather than requesting human intervention as programmed, the browser clicked the malicious button.
In their controlled demo, this triggered a harmless file download, but could easily have been a malicious payload planting malware without the user’s knowledge.
This vulnerability extends far beyond simple downloads. The same technique could allow attackers to have full control of the AI browser.
The researchers explained:
“The same technique could allow the AI to send emails containing personal details, grant file-sharing permissions on the victim’s cloud storage, or execute any other action its permissions allow. In effect, the attacker is now in control of your AI, and by extension, of you.”
The Bottom Line
The research authors emphasized the need to address these vulnerabilities by integrating security considerations into AI browser architecture rather than relying on existing protective measures.
In their view, AI browsers are designed to prioritize user experience over safety mechanics, and it should not be so. In addition to that, they argue that current AI browsers mainly delegate security functions to traditional tools like Google Safe Browsing, which proves insufficient for AI-mediated interactions.
They also recommend building AI browsers with ”the proven guardrails we already use in human-centric browsing.”
These include advanced phishing detection systems that operate within the AI’s reasoning loop, URL reputation checks before autonomous navigation, domain spoofing alerts adapted for AI processing, malicious file scanning, and behavioral anomaly detection that can identify when AI actions deviate from expected patterns.
FAQs
Prompt injections work by hiding malicious instructions in invisible webpage elements that the AI processes as legitimate tasks.
Current models often miss phishing red flags, misjudge fake sites, and sometimes complete transactions without user confirmation.
Security needs to be built into the AI’s reasoning loop, with tools like phishing filters, URL checks, spoofing alerts, and anomaly detection.