https://www.darkreading.com/application-security/ai-agents-undermine-progress-browser-security
Agentic browsers powered by artificial intelligence are undermining years of progress in web security by reintroducing vulnerabilities that modern browsers had largely eliminated, according to recent research from cybersecurity consultancy Trail of Bits. The fundamental problem stems from inadequate isolation, as these AI-powered browsers treat the agent as a proxy for the user with permissions to cross different tabs and access local systems. This design flaw enables attackers to exploit reflected cross-site scripting and data exfiltration techniques that traditional same-origin policies had successfully neutralised, effectively resetting browser security to a less protected state despite being deployed in 2026.
Researchers have demonstrated that prompt injection attacks can manipulate AI agents into exfiltrating sensitive data including multi-factor authentication tokens from emails, accessing logged-in services, and retrieving local files. Trail of Bits successfully used GitHub gists to inject malicious instructions that suborned control of AI agents, while separate testing by hCaptcha found that agentic browsers attempted nearly all of 20 common malicious scenarios with minimal resistance. Security firm SquareX also discovered critical vulnerabilities in Perplexity’s Comet browser allowing unauthorised access to local data. Many of these attacks succeed not because of sophisticated exploits but because agentic browsers frequently run on outdated Chromium code and lack basic anti-malware defenses.
It is believed that prompt injection vulnerabilities may be inherently unsolvable given how large language models process natural language for both data and commands without clear separation. Researchers recommend organisations treat agentic browsers like any tool executing untrusted internet code by implementing strict sandboxing and limiting their access to sensitive company data. Security professionals warn that until fundamental controls are validated, these AI agents should not be trusted with real user sessions and manufacturers appear reluctant to prioritise safety improvements over competitive market positioning, potentially exposing both users and the companies deploying these browsers to significant liability.