Researchers Train AI Browser Into Phishing Trap in Minutes
Security teams have shown that agentic AI web browsers can be tricked into carrying out phishing scams by targeting the browser’s own reasoning and feedback. Guardio said it used intercepted signals from Perplexity’s Comet browser to iteratively refine a malicious page until the AI agent accepted it and performed actions on a phishing site in under four minutes.
How the attack works
Guardio described a technique it calls “Agentic Blabbering,” where the AI browser narrates what it sees, what it suspects, and what it plans to do. Security researcher Shaked Chen said, “The AI now operates in real time, inside messy and dynamic pages, while continuously requesting information, making decisions, and narrating its actions along the way. Well, ‘narrating’ is quite an understatement – It blabbers, and way too much!”
By watching those signals, attackers can treat them as training feedback. “If you can observe what the agent flags as suspicious, hesitates on, and more importantly, what it thinks and blabbers about the page, you can use that as a training signal,” Chen explained. Guardio said researchers fed intercepted traffic into a generative adversarial loop to update the phishing page until the Comet agent stopped resisting and carried out the scam.
The practical result is that an attacker no longer needs to convince a human. Instead, the scam targets the AI agent that many users rely on. “This reveals the unfortunate near future we are facing: scams will not just be launched and adjusted in the wild, they will be trained offline, against the exact model millions rely on, until they work flawlessly on first contact,” Guardio said.
Related demonstrations and fixes
Other research groups have shown similar risks. Trail of Bits demonstrated prompt-injection techniques against Comet that could extract private data from services like Gmail by coaxing the browser assistant into leaking or exfiltrating information. Zenity Labs detailed two zero-click attacks that used indirect prompt injection inside calendar invites to exfiltrate local files or, in one scenario, to interact with a password manager if it was unlocked.
Zenity called one flaw “PleaseFix” and said the issue could operate without any user clicks: a malicious calendar entry can look benign but contain attacker instructions that the agent executes when asked to summarize or prepare for the meeting. “When the agent merges a benign user request with attacker-controlled instructions from untrusted web data into a single execution plan, without a reliable way to distinguish between the two,” security researcher Stav Cohen said, describing the core problem known as intent collision.
Zenity said the bug was fixed after responsible disclosure. “The fix includes a new hard boundary deterministically limiting the browser’s ability to autonomously access file:// paths,” the researchers explained, adding that this prevents agents from navigating the local filesystem on their own.
Researchers and vendors warn the underlying problem is hard to eliminate. OpenAI noted that prompt-injection risks in agentic browsing are difficult to solve completely, and suggested automated attack discovery, adversarial training, and system-level safeguards as risk-reduction steps.
For users, the immediate takeaway is to treat agentic features with caution: keep extensions and browsers updated, limit granting of autonomous access to files or accounts, and avoid relying on an AI agent to handle sensitive actions without oversight.
#AIsecurity #Phishing #PromptInjection #BrowserVulnerabilities