Agentic artificial intelligence (AI) web browsers that can act autonomously on users’ behalf appear to be extremely gullible and unsafe to use, falling for hoary old scams as well as newer attacks, security researchers suggest.
Consumer oriented security vendor Guardio built three scenarios to test how AI browsers handle fake ecommerce and phishing sites, along with one straight prompt injection attack inside fake CAPTCHA.
Guardio used Perplexity.ai’s Comet browser as the main test subject, naming its research “Scamlexity”.
Among its other features, Comet’s agentic AI is able to automate multi-step online tasks like shopping comparisons, and add items to online carts on ecommerce sites.
However, Comet is said to limit shopping automation for privacy and security reasons, and refuses to fill in users’ personal and/or payment information; nor will the browser finalise transactions automatically.
iTnews tested online purchases with Comet, and while the AI browser was able to prepare a shopping cart with goods as specified by the user, it would not check out with payments details and personal information.
Despite that, testing with a scenario featuring an AI-generated fake Walmart site, the Guardio researchers claimed Comet would complete a transaction to buy an Apple Watch.
The scammy Walmart site wasn’t able to trick Comet every time however, Guardio said.
Comet also fell for a phishing email, marking it as a to-do item from Wells Fargo Bank, even though the message arrived from a Protonmail account.
The AI browser clicked on the link to the site with the fake Wells Fargo login page, and filled in user credentials automatically, Guardio said.
Guardio also said it was able to “social engineer” the Comet AI with a prompt injection attack on a CAPTCHA test page, using instructive text that’s not visible to humans, but which the assistant would read and follow.
Called “PromptFix”, Guardio made the Comet AI agent download a file by tricking it into clicking on an “AI bypass button” on the CAPTCHA page.
Guardio researchers Nati Tal and Shaked Chen said their work points to multiple problems with AI browsers, which are now starting to appear from multiple software vendors:
“The problem isn’t just that these browsers are UX-first. They also inherit AI’s built-in vulnerabilities – the tendency to act without full context, to trust too easily, and to execute instructions without the skepticism humans naturally apply,” Guardio said.
“AI is designed to make its humans happy at almost any cost, even if it means hallucinating facts, bending the rules, or acting in ways that carry hidden risks.”
Proven guard rails already used in human-centric browsing such as phishing detection, URL reputation checks, domain spoofing alerts, malicious file scanning and behavioural anomaly detection need to work within the AI decision loop as well, Guardio said.
Perplexity has been contacted by iTnews for comment.
The company’s Comet web browser suggested that the security issues reported by Guardio are very real and need to be taken seriously, with the AI agent insisting they are not overblown, but underappreciated rather.
Source link
