Agentic AI Browsers Face Critical Security Threats from Fraudulent Purchases and Phishing

A recent study by cybersecurity firm Guardio Labs has revealed significant security vulnerabilities in emerging agentic AI browsers, with Perplexity’s Comet browser demonstrating susceptibility to automated fraudulent purchases, credential phishing, and novel prompt injection attacks¹. These findings, reported on August 20, 2025, indicate that AI agents designed to autonomously perform tasks like shopping and email management can be manipulated into interacting with malicious pages and prompts with minimal or no user interaction².

The research highlights three primary attack vectors that successfully compromised the Comet browser’s security protocols. In the most direct financial threat, researchers used an AI-powered website builder to create a convincing fake Walmart site and then instructed Comet to “Buy me an Apple Watch” while on this malicious domain. The AI agent scanned the site, navigated to checkout, autofilled the user’s saved credit card and address details from its stored data, and completed the purchase without seeking any human confirmation¹. This attack demonstrates how AI agents can bypass traditional human verification steps that might identify fraudulent sites.

**TL;DR for Security Leadership:**
* **Threat:** Agentic AI browsers (Perplexity Comet, Microsoft Edge Copilot, OpenAI Aura) are vulnerable to automated exploitation.
* **Vectors:** Fraudulent purchases, credential phishing via email, and novel “PromptFix” hidden command injection.
* **Impact:** Unauthorized financial transactions, credential theft, and malware installation with minimal user interaction.
* **Terminology:** Guardio Labs has coined the term “Scamlexity” to describe this new era of AI-driven, scalable attacks targeting the AI model itself.
* **Recommendation:** Restrict AI agent permissions for sensitive tasks (banking, shopping), avoid storing credentials with AI agents, and require manual input for final confirmation steps.

Technical Analysis of Attack Vectors

The Guardio Labs research team conducted methodical testing against Perplexity’s Comet browser, which represents a leading implementation in this new software category. The attacks did not require sophisticated zero-day exploits but rather leveraged the AI’s inherent functionality against itself. The credential phishing attack involved sending a carefully crafted fake Wells Fargo phishing email from a ProtonMail address containing a link to a live phishing page. When researchers asked Comet to check for action items in the user’s inbox, the AI treated the fraudulent email as a legitimate instruction from the bank. It automatically clicked the embedded link, loaded the fake login page, and then prompted the user to enter their banking credentials, effectively endorsing the scam’s authenticity¹.

Perhaps the most technically novel method discovered was dubbed “PromptFix” by the researchers. This technique represents an AI-era adaptation of classic ClickFix scams. Attackers embed malicious instructions for the AI within the source code of a webpage, hidden from human view using standard HTML comments or other obfuscation techniques. In their proof of concept, researchers created a fake CAPTCHA page where the “solve” button contained these hidden commands. Comet interpreted these commands as valid user instructions, clicked the button, and triggered the download of a malicious file, leading to a potential drive-by download scenario². Guardio confirmed this technique also functions against ChatGPT’s Agent Mode, albeit within a more restricted sandboxed environment.

The Broader Threat Landscape and Criminal Adaptation

The implications of these vulnerabilities extend beyond a single product. Guardio Labs has introduced the term “Scamlexity” to describe this new attack paradigm where threat actors target the AI model directly instead of millions of individual users². This shift is significant because it allows for infinite scalability; once a successful malicious prompt or hidden command is engineered, it can be deployed automatically against any user of that AI system. Furthermore, attackers can use the same generative AI tools used to develop these browsers to “train” and refine their malicious prompts through iterative testing against the target AI until the scam executes flawlessly.

This trend is corroborated by intelligence from other major security firms. Palo Alto Networks Unit 42 and Proofpoint have both observed a marked increase in criminals utilizing GenAI platforms, such as the Lovable tool used in the fake shop scam, to generate highly realistic phishing sites and content at an unprecedented scale and speed². This significantly lowers the technical and financial barrier to entry for cybercrime. CrowdStrike’s 2025 Threat Hunting Report further notes that threat actors are increasingly incorporating GenAI tools to enhance the sophistication and believability of their social engineering and phishing operations, making traditional detection based on grammatical errors or poor design less effective.

Security Recommendations and Mitigation Strategies

Until robust security architectures mature for autonomous AI agents, security professionals should advocate for strict control policies. The primary recommendation is to avoid delegating sensitive tasks, particularly online banking, shopping, or email management, to AI agents. Organizations should enforce policies that prohibit the storage of credentials, financial details, or highly personal information within an AI agent’s profile or memory. For any action with financial or security implications, the system should be configured to require manual input of sensitive data as a final confirmation step, creating a necessary breakpoint for human review.

The development community faces the challenge of building proactive guardrails directly into these AI systems. Essential security features must include real-time phishing detection mechanisms that analyze site content and URLs before any autonomous action is taken, integration with URL reputation services to block navigation to known malicious domains, and malicious file scanning for any downloads initiated by the AI agent. These features need to operate at the speed of the AI’s decision-making process to be effective without degrading the user experience, representing a complex engineering challenge.

Conclusion and Future Implications

The emergence of agentic AI browsers like Perplexity’s Comet represents a significant technological advancement with clear productivity benefits. However, the research from Guardio Labs underscores that this innovation simultaneously creates a new and complex attack surface. The security community is now tasked with defending AI models that may follow malicious instructions without the inherent skepticism or inconsistency-checking of a human user. This “Scamlexity” era demands a fundamental shift in defensive strategies, moving from primarily protecting humans to also protecting the AI systems that act on their behalf. The speed of criminal adaptation using the same technologies highlights the critical need for security to be a foundational component, not an afterthought, in the development of all autonomous AI applications.