The new risk from AI browsers
One challenge in the field of AI-enabled attacks — which is to say, attacks that didn’t exist or weren’t possible before genAI — is how quickly everything changes. Take AI browsers, for example. This new category of web browser includes Perplexity Comet, Dia (by The Browser Company), Fellou, Opera Neon, Sigma AI Browser, Arc Max, Microsoft Edge Copilot, Brave Leo, Wave Browser Pro, SigmaOS, Opera Aria, Genspark AI Browser, Poly, Quetta Browser, Browserbase, Phew AI Tab, and the upcoming OpenAI browser.
The most agentic is Perplexity’s Comet browser, which clicks links, navigates web pages, fills out forms, manages emails and calendars, books travel and makes purchases, analyzes browsing history, automates multistep workflows, interacts with logged-in services, compares products across websites, unsubscribes from emails, extracts and synthesizes information from multiple sources, manages tabs by opening and closing them, searches and filters through user-executed complex research tasks autonomously, and provides conversational assistance with contextual awareness across all browsing activities.
Security researchers at Guardio Labs demonstrated how simple it has become for criminals to trick AI browsers into committing crimes. When the researchers instructed Comet to buy an Apple Watch, the AI obediently visited a fake Walmart website they had created in 10 seconds using basic web tools. The browser ignored obvious signs of fraud and automatically filled in saved credit card details and shipping information to complete the purchase. In testing, Comet sometimes has refused the transaction or has asked for human approval, but in other cases it has handed over sensitive payment data directly to the scammers.
