Connect with us

Hi, what are you looking for?

Tuesday, Jul 7, 2026
Mugglehead Investment Magazine
Alternative investment news based in Vancouver, B.C.
Agentic AI browsers create new cybersecurity risks
Agentic AI browsers create new cybersecurity risks
Photo from FlyD via Unsplash

AI and Autonomy

Agentic AI browsers create new cybersecurity risks

Researchers found four browsers created conditions that could let malicious websites bypass the same-origin policy

Artificial intelligence companies have rushed to release web browsers with built-in AI agents, but new research suggests the technology may expose users to serious cybersecurity threats before it is ready for widespread use.

Researchers on Tuesday at the University of Washington found that several leading AI-powered browsers can weaken a long-standing web security safeguard, potentially allowing attackers to steal sensitive information through carefully crafted online traps.

The research examined seven popular agentic browsers that automate online tasks for users. These browsers can research vacations, compare products, book restaurants, schedule appointments and manage calendars with limited human involvement.

However, researchers found that four browsers created conditions that could let malicious websites bypass a key internet protection called the same-origin policy. That security rule prevents one website from accessing information stored by another website inside the same browser. Consequently, attackers could exploit browser agents instead of targeting users directly.

The research team successfully demonstrated a proof-of-concept attack against ChatGPT Atlas from OpenAI. The researchers also identified similar weaknesses in Chrome with Gemini from Alphabet (NASDAQ: GOOGL), Claude for Chrome from Anthropic and Perplexity Comet. However, browsers that granted AI agents fewer permissions generally resisted the attacks more effectively.

Assistant professor David Kohlbrenner said people should not assume these browser agents can adequately protect personal information today. He said even experienced users face risks if an AI agent can access email accounts, banking websites or other services containing sensitive credentials. Furthermore, he said the technology may improve over time, but current systems still fall short of providing dependable protection.

The researchers presented their findings during the Agents in the Wild Workshop in Rio de Janeiro.

Read more: AI spots breast cancer risk years before diagnosis using routine mammograms

Read more: Communities push back as AI data centre boom meets resistance

AI agents create unexpected security problems

The same-origin policy has protected internet users since 1995. It prevents websites from reading or modifying information belonging to other sites, even when one page appears inside another through embedded content. That separation allows people to browse unfamiliar websites without exposing private information from banking, shopping or email sessions. Additionally, the safeguard has become one of the internet’s most important security foundations over the past three decades.

Professor Franziska Roesner said web browsing once required far greater caution than it does today. She explained that visiting a malicious website in the early internet era could easily trigger attacks against users. Modern browser protections have greatly reduced those risks by isolating websites from one another. However, AI agents can unintentionally weaken those protections because they operate differently than human users.

Traditional browsers require people to move information between websites themselves. Someone copying a bank account number into another webpage must intentionally perform that action. AI agents automate many of those tasks after receiving user instructions. Consequently, attackers may manipulate the agents into transferring information without the user’s knowledge.

The researchers found that giving AI agents permissions similar to those of human users creates unexpected security problems. Attackers can design websites that secretly communicate with the agent rather than the person operating the browser. Kohlbrenner said many attacks resemble social engineering techniques aimed at people, but criminals now adapt those methods specifically for AI systems. Furthermore, he said machines can fall for deceptive instructions that many human users would quickly recognize as suspicious.

Read more: A measly 16% of Americans think artificial intelligence will benefit society

Read more: Artificial Intelligence and the invisible revolution: A Mugglehead roundup

Researchers warn about memory poisoning

One of the biggest concerns involves prompt injection attacks. A malicious webpage can hide instructions inside its code that an AI agent reads while completing an unrelated task. The user never sees those hidden directions.

Researchers described one example involving an AI agent summarizing a legitimate webpage. An embedded malicious page secretly instructs the agent to include protected information in its summary before submitting the results through an online form. If the browser allows the agent to access the embedded content, the agent may unknowingly send sensitive information directly to attackers. Additionally, the user may never realize the transfer occurred because the browser completes the process automatically.

The researchers also warned about memory poisoning. Many AI agents store and compress information gathered during browsing to improve future performance. That convenience creates another possible target for attackers. Meanwhile, information from separate websites may become mixed together as the agent reorganizes its memory.

Roesner said the researchers observed situations where information from different online sources blended together during memory processing. That mixing could weaken safeguards that originally kept the information separate. Consequently, harmful instructions encountered on one website might later influence the agent while it visits another website.

The paper described a hypothetical example involving an online discussion forum. A malicious Reddit page could instruct an AI agent to reveal a user’s bank account number during a future visit. The browser might reject the instruction immediately. However, the command could survive inside the agent’s memory after later revisions changed how the information was stored. The altered memory might eventually bypass protections tied to the instruction’s original source.

Read more: Vertiv’s new Malaysia facility boosts local AI data centre capabilities

Read more: China’s AgiBot formally opens 1st overseas robotics centre in Malaysia

Study found Firefox AI Mode presented lowest level of risk

Researchers shared their findings with the companies behind the browsers before releasing the study. Anthropic and Firefox did not respond to the report, according to the researchers. OpenAI and Perplexity declined the report. Furthermore, the researchers said no straightforward solution currently preserves the browsers’ advanced capabilities while eliminating every security concern they identified.

The study found that Firefox AI Mode presented the lowest level of risk. However, that browser also offered the fewest automated features. Researchers said the results illustrate a difficult trade-off between expanding AI capabilities and maintaining strong browser security as developers continue building increasingly autonomous online assistants.

.

Follow Mugglehead on x

Like Mugglehead on Facebook

Follow Joseph Morton on x

joseph@mugglehead.com

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

AI and Autonomy

It is the cooling equipment producer's first complex in Southeast Asia

Rare Earths

Governments have expanded financial support for new mines, processing facilities and refining capacity

AI and Autonomy

AI is increasingly influencing decisions that shape everyday life

AI and Autonomy

An Ipsos survey conducted in late 2025 found about half of Americans opposed building a data centre near their homes