Agentic LLM Browsers Vulnerable to Prompt Injection and Data Theft
Key Takeaways Agentic LLM browsers, including Perplexity Comet, OpenAI Atlas, Microsoft Edge Copilot, and Brave Leo AI, are susceptible to architectural vulnerabilities. These vulnerabilities allow...
Key Takeaways
- Agentic LLM browsers, including Perplexity Comet, OpenAI Atlas, Microsoft Edge Copilot, and Brave Leo AI, are susceptible to architectural vulnerabilities.
- These vulnerabilities allow indirect prompt injection and cross-site scripting (XSS) attacks to gain full control over browsing sessions.
- Attackers can exploit these flaws to exfiltrate local files, send emails, redirect users to phishing sites, or install malware without user consent.
- The core issue lies in the privileged communication channels between AI models and browser internals, designed for automation but lacking robust security boundaries.
The integration of artificial intelligence is fundamentally transforming how users interact with the internet, moving beyond static page display to active content interpretation and task execution. These advanced tools, known as agentic LLM browsers, allow users to issue high-level commands such as “book a meeting” or “summarize my emails,” with the AI managing the underlying steps. While offering significant convenience, this paradigm shift introduces critical security risks that are only now being fully understood.
Table Of Content
Agentic LLM browsers function by establishing a direct link between an AI model and the browser’s core systems. This grants the AI the capability to perform actions like clicking elements, filling out forms, and interacting with local files, often without requiring explicit user approval for each individual step. Prominent examples in this category include Comet by Perplexity, Atlas from OpenAI, Microsoft Edge Copilot, and Brave Leo AI.
Despite their varied implementations, a common architectural weakness unites these products: their operational design often necessitates bypassing the robust security frameworks meticulously developed over decades for traditional web browsers.
Researchers at Varonis Threat Labs identified significant architectural vulnerabilities across these agentic browsers. Their findings indicate that the very design choices that empower these tools also render them highly susceptible to exploitation. By connecting the AI model to local browser processes via privileged extensions and internal communication channels, these browsers create a control pathway that current security models were not designed to contain.
The resulting attack surface is extensive. A common web vulnerability like Cross-Site Scripting (XSS), which typically limits its impact to a single website in a standard browser, can now grant an attacker comprehensive control over an entire browsing session. Through a technique known as indirect prompt injection, a malicious webpage can embed hidden instructions directly into the AI’s operational view. These commands, unseen by the user, are then executed by the AI without question.
Such commands can compel the agent to access private local files, dispatch emails on behalf of the user, navigate to deceptive phishing sites, or silently download malicious software onto the device. This level of compromise far surpasses the potential damage of conventional browser attacks. Furthermore, these attacks are particularly difficult to detect because the agent operates using the user’s legitimate credentials, making malicious activities indistinguishable from normal browser behavior and allowing attackers to persist undetected for extended periods.
How the Communication Bridge Becomes a Weapon
The most critical vulnerability in agentic LLM browsers stems from the trusted communication channel established between the AI backend and the browser’s internal components.
Perplexity Comet’s Externally Connectable Feature
In the case of Perplexity Comet, the browser utilizes an externally_connectable feature. This allows specific approved domains, such as perplexity.ai, to send commands directly to a powerful background extension. This extension possesses “debugger” permissions, which provide complete programmatic control over the browser, including the ability to simulate clicks, scrolls, typing, and read content across all open tabs.
This extension operates silently and cannot be disabled through standard browser settings. If an attacker successfully executes malicious JavaScript on any approved domain, they can leverage that trusted origin to inject unauthorized commands through the same privileged channel. Varonis Threat Labs confirmed during their testing that an XSS vulnerability on a trusted domain could enable an attacker to invoke the GetContent tool, thereby exfiltrating local files from the user’s machine.
Microsoft Edge Copilot’s Data Exfiltration Risk
Microsoft Edge Copilot faces a similar risk. Researchers demonstrated how the Edge.Context.GetDocumentBody tool could be called in a continuous loop, capturing live page data and transmitting it to an external server. This effectively transforms a basic content reading function into a persistent surveillance mechanism.
What You Should Do
- For Security Teams: Implement robust monitoring for browser processes, looking for unusual file access patterns, unexpected outbound network connections, or browser actions executed with user-level authority but lacking clear user initiation.
- For Developers: Adhere strictly to the principle of least privilege for all extensions, especially those with elevated permissions. Rigorously validate and sanitize all external data processed by the AI model.
- For Individual Users: Maintain all browsers and operating systems with the latest security updates and patches. Varonis researchers noted that a prompt injection vulnerability related to embedded page titles was patched during their research period, underscoring the importance of timely updates.
- For Organizations: Deploy advanced data-aware detection tools capable of distinguishing between legitimate browser activity and actions that appear valid on the surface but originate from malicious, non-user intent.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.