Republished on July 3 with further advice from SquareX on defending against these new attacks, following the response to these new warnings.
A new warning has just been issued for Chrome and Edge users, as the feared tidal wave of AI attacks takes on an alarming new dimension. It turns out that the latest buzz around agentic AI might be a security nightmare suddenly come true. As ever with AI, the unintended consequences of new developments hit hard and fast.
The warning comes courtesy of SquareX. “Every security practitioner knows that employees are the weakest link in an organization,” it says. “But what if this is no longer the case?” It turns out that the browser agents now used by 79% of organizations might be doing more than saving time and money — they might be putting everyone at risk.
Google already warns Chrome users to enable Safe Browsing. “Each time that you visit a website or attempt a downloads,” it says, “Chrome checks with Safe Browsing based on the protection level that you’ve selected.”
SquareX’s Vivek Ramachandran told me “enterprise versions of consumer browsers like Chrome Enterprise and Edge for Business typically focus on browser hardening — enabling and disabling certain browser features like browser extensions.”
And while “some have the capability to create a whitelist/blacklist of sites to restrict the sites users can visit,” which in effect helps “prevent Browser AI Agents from falling prey to some attacks,” this would not help with “attacks that leverage legitimate functionalities within the browser, such as OAuth attacks.”
Ramachandran says “attackers realize this nuance, which is why we are seeing more attacks that exploit the architectural limitation of browsers and cannot be solved through browser hardening or even proxy-layer solutions (e.g. SASE/SSEs).”
All of which means you need to secure your browser as best you can when deploying agents. There’s a level of protection beyond this. Enhanced protection is “Google’s most secure browsing experience, [and]
offers security from known and potential new dangers,” meaning “you’ll receive warnings about potentially dangerous sites, downloads and extensions, even the ones that Google didn’t previously know about.”
Chrome users will be hardest hit by this warning, given the scale of its user base. But Edge also offers levels of protection. If you’re using agents, set your browser protection to its highest level while doing so. It’s nowhere near a catch-all, but it helps.
This is important because it turns out AI tools have the cyber awareness of a toddler. And if you ever let your toddler loose on your work PC, you’d switch everything on.
“Browser AI Agents expose organizations to a massive security risk,” SquareX warns. “These agents are trained to complete the tasks they are instructed to do, with little to no understanding of the security implications of their actions.”
This means no savvy awareness, no training, no sense of danger. “They cannot recognize visual warning signs like suspicious URLs, excessive permission requests, or unusual website designs that typically alert employees of a malicious site.”
For attackers, this becomes child’s play. Poison search results for typical tasks an agent might be given, and then harvest credentials or push malicious downloads, all without the agent’s handler ever knowing there’s an issue of any kind.
“Browser AI Agents are more likely to fall prey to browser-based attacks than even a regular employee,” SquareX says. “Even if it is possible for users to add guardrails, the overhead required to extensively write the security risk of every task performed by the agent in every prompt would probably outweigh the productivity gains.”
As with so many AI upgrades rapidly hitting phones and computers, the threats are not yet fully understood and the user base is too excited by the productivity gains to worry about the downsides. That will change. And beyond the security risks, there are also a raft of privacy concerns that similarly are just starting to hit home.
As AI “becomes increasingly integrated into daily workflows,” a new report from Incogni warns, “the potential for unauthorized data sharing, misuse, and personal data exposure has surged faster than privacy watchdogs or assessments can keep up with.”
In its proofs of concept, SquareX shows how a Browser AI Agent, “instructed to find
and register for a file sharing tool, succumbed to an OAuth attack.” This then “granted a malicious app complete access to the user’s email despite multiple suspicious signals – irrelevant permissions, unfamiliar brands, suspicious URLs — that likely would have stopped most employees from granting these permissions.”
In the same way, credit card information, access to file sharing apps, enterprise system credentials and any other web based tool the agent might find can be hacked. The risk stems from the agent operating with the user’s authentication and access rights, but in the background without ever checking back to ensure risks are not being taken.
As Ramachandran told me, “this attack works due to two core reasons. First, providers have no way to create a sub-identity for Browser AI Agents running on behalf of the user where further granular controls can be applied. This allows all Browser AI Agents to run on the same privilege levels as the user, providing them access to all enterprise SaaS apps, data and company resources that a real user has access to.”
Put at its simplest, Ramachandran says, “browsers cannot distinguish between an action performed by a real user and an action that is part of an automation workflow of a Browser AI Agent. This means that we are trusting that the Browser AI Agent is intelligent enough to avoid these attacks, which we already know is not true as these agents have a poorer security awareness than even an average employee.”
The answer is for enterprises “to provide browser-native guardrails that will prevent agents and employees alike from falling prey to these attacks.”
Unfortunately, right now that’s easier said than done.
SquareX now warns that “attackers have started to create sites designed specifically to lure Browser AI Agents to perform a different workflow than intended.” Given the lack of protections and the proven naivery of those agents, this is deeply alarming.
As for the team’s advice for organizations wanting to shore up their defenses: “Just as enterprises will not entrust users to freely download files and install applications on company devices without protection from Endpoint Detection and Response (EDR), we cannot expect users to fully police their own Browser AI Agent usage without browser-native security measures implemented by tools like Browser Detection and Response.”
This could fast become a major vulnerability across organizations with no easy solutions. “Gartner estimates that at least 15% of daily workflows will be completed by Browser AI Agents by 2028,” Ramachandran told me.
And as those agents become more powerful, that number will accelerate. “Tomorrow’s internet will be browsed by Browser AI Agents performing tasks on behalf of users. Today’s security strategies focus on reining in user behavior. However, with 79% of organizations already adopting Browser AI Agents, there needs to be a paradigm shift to rethink what secure browsing means from the vantage point of a Browser AI Agent.”
