Security researchers at Guardio have demonstrated a critical vulnerability in AI-powered autonomous browsers by successfully tricking Perplexity’s Comet browser into falling victim to a phishing scam in under four minutes. The attack, dubbed “Agentic Blabbering,” exploits the verbose reasoning these AI browsers produce as they navigate websites and make decisions in real time. By intercepting traffic between the browser and AI services running on vendor servers, researchers fed this reasoning data into a Generative Adversarial Network that iteratively refined a phishing page until the AI agent stopped flagging it as suspicious and proceeded to enter credentials on the fraudulent site. This technique builds on prior vulnerabilities like VibeScamming and Scamlexity, but represents a fundamental shift where attackers no longer need to deceive human users—instead, they train scams to specifically fool the AI models themselves.
The vulnerability stems from AI browsers continuously narrating their actions, beliefs, and security assessments as they interact with dynamic web pages. Guardio’s research revealed that when the AI explains why it stopped or what it considers suspicious, it inadvertently teaches attackers how to bypass its defenses. Once a scam page is optimised to work against a specific AI browser model through offline training, it works reliably against all users relying on that same agent. This represents what researchers call a “scamming machine” that can generate perfectly tailored phishing attacks on first contact with victims, eliminating the trial-and-error phase traditionally required in the wild.
The disclosure follows similar vulnerabilities identified by Trail of Bits and Zenity Labs, which demonstrated prompt injection attacks against Comet that could exfiltrate private Gmail data and hijack 1Password accounts through zero-click attacks using malicious meeting invites. These issues, collectively termed PerplexedBrowser, leverage “intent collision” where AI agents merge benign user requests with attacker-controlled instructions from untrusted web data without reliably distinguishing between them. OpenAI has previously acknowledged that prompt injection vulnerabilities in agentic browsers are unlikely to ever be fully resolved, though risks can be reduced through automated attack discovery, adversarial training, and system-level safeguards.