Do you test a browser based on AI agents? Better stop – they are given for cybercriminals
The latest analyzes of Malwarebytes security specialists and Brave team research show that “agent” browsers – those that perform actions on our behalf – are sensitive to the so -called indirect prompt injection. This is a technique in which the attacker's instructions are sewn in seemingly ordinary content and Interpreted by the AI model as if they came from the user. When login and payments enter the game, the risk changes from small to high.
The difference between “AI in the browser” and “Agent browser” is very clear. In the first case, the model helps to sum up the text or answer the question, and the man clicks and decides. In the second – The agent plans and performs a string of activities himself: logs in, transfers data, finalizes transactions. If, on the way, he finds a insidious prepared page or commentary, he can perform unintentional actions in our active sessions, even on other cards.
The Brave team described a demonstration in which the hidden instructions from the commentary on Reddit told the Comet Agent (browser offered by Perplexity) reach to the Gmail box for a one -time code and take over the account on another website. It is a scenario that strikes the very foundations of classic network barriers, because the agent works “with the user permissions” over the boundaries of domains. In other words, both the user and companies offering security might have not thought about such threats.
Check also: This is the world's first bank based on artificial intelligence
Read also at Business Insider
A field for attacks of a new type
This is not an isolated incident. Malwarebytes warns that the increase in the popularity of browsers with agents It opens the way to attacks in which “the weapon is the language itself, not a gap in security.”
Instructions can be hidden as white letters on a white background or in the HTML comments, and the model – unlike man – will easily read them and treat as commands to make. Moreover, according to Malwarebytes reports, attempts to patch susceptibility in Comet have been made many times and still did not solve the problem at the source, which is the lack of a hard distinction between this, What the user says, and what the artificial intelligence says “artificial intelligence.
Industry standards are also beating an alarm. In the latest OWASP TOP 10 for the LLM application, “Prompt Injection” opens the list of risks to 2025, and Microsoft and Google simply call indirect commands of commands.
Both companies offer multilayer, defensive approaches combining context limiting, separation of input channels, output filtering and confirmation of the user for sensitive actions. This is important and also confirms that The problem is systemic and far from the solution.
It is worth noting that Prompt Injection is not limited to browsers. In July and August 2025, demonstrations were loud of the takeover of the Gemini assistant by “poisoned” calendar invitations or e-mail content, which ended, among others Initiating connections, manipulation of home appliances or displaying deceptive summaries. This is the same pattern. The model treats external content as instructions, and integrations are given by tools to continue to act independently and without the user's knowledge. If we transfer such a mechanism to a browser and give agent wide permissions, the consequences may apply to banking, mail and company systems.
See also: Google introduces new smartphones from AI. Some functions are controversial
Browsers with agents? It is better to let go for now
Why is it better not to use high -risk agent browsers today? There is no commonly accepted, effective separation between “user voice” and “the noise of the website”. The agent also has a natural tendency to absorb the context and connect it into the action plan, so Even good filters can pass instructions that look like help in the implementation of the task.
What's more, classic network security guarantees were designed against the code performed as part of the domain, not against the model that jumps between the context of cards and services like a user with full permissions. The practical effect is that One clever phrase in the comment can become a pass to take over a session or data leakage.
What do you have to wait for you to trust such browsers? For mature implementation of several elements – this is the basis. You need a strict, technical separation of entrance channels, in which the content of the page is always treated as distrustful and can never give instructions to the agent outside of unambiguous, explicitly allowed formats. Independent, deterministic “goals” are necessary to check whether the agent's plan is located for the user, and sensitive activities – like sending messages, access to boxes or payment authorization – must absolutely require interaction and confirmation.
The industry also needs assessment standards and public results of Red Teaming specialized for indirect injection of commands in agent scenarios, as well permanent limiting and minimizing the context transferred to the model. Only a combination of such practices, which is announced today by, among others Google and Microsoft can realistically reduce the risk to acceptable level.
If we have to use them, it's only on a short leash. That is, without access to mail and banking, with detachable tools, on the account without remembered passwords and with attention to what the agent “reads” in the background. The most reasonable approach is to treat agent browsers as experimental versions – good for reading and simple automation, but insufficiently safe for money, company data or important online accounts. Before the agent in the browser becomes completely safe, He must learn to ignore what the user has not told him – and he still can't.
Author: Grzegorz Kubera, Business Insider Polska journalist
