Architectural Security Vulnerabilities of AI Browsers


As AI Browsers rapidly gain adoption across enterprises, SquareX released critical security research exposing major vulnerabilities that could allow attackers to exploit AI Browsers to exfiltrate sensitive data, distribute malware and gain unauthorized access to enterprise SaaS apps.
Passkeys Pwned

Secure Your AI Browser with SquareX Today

What are AI Browsers?

AI browsers are web browsers that integrate AI capabilities directly into the browsing experience, which typically comes in the form of an AI sidebar that the user can provide prompts into. AI browsers come in different levels of complexity:

  • AI Chatbots - these browsers allow users to interact with the browser in a similar way they would with ChatGPT. These chatbots can search the internet and summarize the page the user is on, incorporating the results to its answers. However, its actions are typically limited to responses within chatbot itself.
  • AI Agents - these browsers have a native AI agent that can perform actions on the user’s behalf within the browser. With the right prompts, they can navigate through pages, login to accounts, purchase flight tickets and even download files.

Case Studies

While we will be discussing an array of case studies, they can primarily be classed into 3 categories based on the security limitations they exploit in AI browsers:
Browser Agents Demo

Falling into a Malicious Workflow while Surfing the Internet

Given that AI Browsers are performing tasks on the user’s behalf, typically with the same privilege levels, attackers can easily trick them into granting permissions. This case study shows how SEO Poisoning causes Perplexity Comet to grant unauthorized access to the victim’s business emails and Google Drive.

Following Malicious Instructions on Trusted Apps

Attackers can also insert malicious prompts in trusted apps where the victim is logged into. This case study shows how prompt injection attacks within these apps can lead Comet to embed malicious links in calendar invites.

Downloading a Malicious File

Like most AI Browsers, Comet cannot inspect the files it downloads. Attackers can easily disguise malicious files as benign files necessary to completing the workflow, leading to malware/ransomware being downloaded.

Securing AI Browsers

In order to prevent the above attacks, it is critical to have a browser-native solution, whether it comes in the form of embedded security by the AI Browsers themselves or a browser security solution that is compatible with these AI Browsers. These solutions should take into account:

Agentic Identity
Ability to distinguish between agentic and user identity, and hence ability to implement differentiated policies for each. Currently, Comet operates at the same privilege level as the user and there is no way for SASE/SSE solutions to distinguish between network requests made by the user or Comet as it all comes from the same browser.
Agentic DLP
Once the differentiated identity is established, enterprises can also implement different data access policies between human and automated workflows in AI Browsers to prevent data leakage/data exfiltration attacks.
Client-side File Scanner
Given that AI Browsers can be easily tricked into downloading files, it is critical for browsers to inspect all file downloads, blocking malicious files from being downloaded. This is especially important for BYOD devices where there is no EDR protection.
Extension Analysis and Risk Scoring
This includes a comprehensive audit of all extensions installed in an organization to provide a risk score for every extension to allow enterprises to block high risk extensions, including those that can impersonate Comet sidebars. This analysis should take into account not just public metadata but also an advanced static code analysis and dynamic analysis of the extension in order to identify hidden malicious behavior which may only reveal itself after a certain time, user action or environment.

The SquareX Solution

SquareX's extension turns any browser on any device into an enterprise-grade secure browser. SquareX is the only solution that combines all three key components of browser security in a single platform:

  • Browser Detection and Response to detect & mitigate web attacks including identity attacks, malicious extensions advanced spearphishing attacks and malicious files
  • Enterprise browser to provide secure access to enterprise apps including VDI reduction, BYOD, 3rd party contractors and remote workers
  • Browser DLP including GenAI DLP, clipboard DLP, file DLP, insider attacks and data exfiltration attacks

The lightweight browser extension that is compatible with all major popular browsers including Chrome, Edge, Safari and Firefox and can be easily deployed across both managed and unmanaged devices.