Warning: Agentic AI browsers may put user data at serious risks!

Agentic AI browsers may put user data at serious risks- GCC Business News
Rep Image credits: Magnific | Cropped by GBN
By Desk Reporter, GCC Business News

AI-powered agentic browsers capable of automating online tasks could undermine a core web security safeguard, allowing cyberattacks that expose sensitive user data, according to new research from the University of Washington.

Over the past year, artificial intelligence companies have introduced agentic web browsers that can perform tasks such as planning trips, researching destinations, booking reservations, and updating calendars with minimal user input.

While these AI agents promise greater convenience, researchers warn they may also introduce significant cybersecurity vulnerabilities.

A team from the University of Washington evaluated seven popular agentic browsers and found that four of them created pathways for attackers to bypass the web’s same-origin policy, a foundational security mechanism that prevents websites from accessing each other’s data.

Researchers successfully demonstrated a proof-of-concept attack against ChatGPT Atlas, enabling one website to steal information from another embedded site. Similar vulnerabilities were also identified in Chrome with Gemini, Claude for Chrome, and Perplexity Comet. Browsers that granted AI agents fewer permissions were found to offer stronger security protections.

Core web security protections at risk

The same-origin policy, introduced in 1995, is one of the internet’s most important security safeguards. It prevents websites from interacting with data belonging to other sites, even when one webpage is embedded within another.

This safeguard allows users to safely access multiple websites simultaneously by preventing sensitive information, such as banking credentials, email content, passwords, and personal information, from being shared across browser tabs or websites.

Apple Working on Theft Detection Lock Feature
Rep. Image credits: katemangostar @ Magnific | Cropped by GBN

The study found that agentic browsers interact with the same-origin policy differently. AI agents with broader browser permissions can be manipulated in ways that human users typically would not, weakening long-established browser security protections.

Hidden instructions can manipulate agentic AI

The researchers’ proof-of-concept attack relied on prompt injection, in which malicious instructions are embedded within a webpage, sometimes hidden in its underlying code, to influence an AI agent’s behavior.

In one example outlined in the study, an AI agent asked to summarize a webpage could unknowingly follow hidden instructions embedded in malicious content, extract sensitive information from another site, and automatically submit it through an online form controlled by an attacker.

UAE Cyber Security Council -digital identity threats-GCC Business News
Rep Image Credits: DC Studio@Freepik | Cropped by GBN

Because several agentic browsers allow AI agents to access embedded webpage content, attackers can exploit hidden instructions to bypass traditional browser security protections and potentially access sensitive user information.

Memory poisoning creates additional threats

Researchers also identified memory poisoning as another emerging security concern. Many AI agents store and consolidate information from previous browsing sessions to improve future performance. During this process, information from different websites can become mixed together, making it more difficult to determine the original source of stored data.

As a result, malicious instructions encountered in earlier browsing sessions could remain in an AI agent’s memory and influence future actions, even if the initial exploitation attempt was unsuccessful.

More powerful AI features often mean higher risk

OpenAI Codex holiday promotion
Image credits: freepik | Cropped by GBN

The research suggests that browsers offering the broadest AI capabilities also face the greatest security challenges, while more limited systems tend to reduce exposure to risk. The safest browser evaluated, Firefox AI Mode, offered the most restricted agentic functionality.

Researchers shared their findings with the companies behind the browsers included in the study. According to the research team, Anthropic and Firefox did not respond, while OpenAI and Perplexity declined the report. The researchers said there is currently no clear solution that preserves advanced AI browser capabilities while fully addressing the identified security risks.

The findings were presented at the Agents in the Wild Workshop in Rio de Janeiro, highlighting growing concerns that rapid advances in AI-powered browsing may be outpacing the development of adequate security safeguards.

Top Picks | Day of the Seafarer 2026: Celebrating unsung heroes carrying global trade

YOU MAY LIKE