These new attacks break the internet.
NurPhoto via Getty Images
The internet is not a safe space and it’s about to get worse. A new “attack surface is far wider than anything we’ve faced before,” with “hidden risks” that “compromise millions of users simultaneously.” And Google’s defenses are “unfortunately insufficient.”
That’s the warning from Guardio, which has set out to understand just how exposed we are by new AI browsing tools and the extent to which they put us all at risk. The results are alarming. It is “a perfect trust chain gone rogue,” the team says, and you need to shore up your personal defenses before it’s too late.
While “AI Browsers promise a future where Agentic AI works for you, fully automating online tasks from shopping to handling emails.” this convenience “comes with a cost.” The team set up three tests: instructing AI to find and buy a product online, allowing AI to open a banking sign-in page, and a new spin on the viral ClickFix attack.
ForbesDelete Every App That’s On This List—Your Phone Will Be TrackedBy Zak Doffman
In each case, the AI agent put its human at risk — and these attacks are not sophisticated. Almost all humans would have detected these threats. And that’s the key message here — AI is too easily fooled, and this attack surface is so new, that more sophisticated adversaries are only just getting started.
“AI Browsers are no longer a concept,” Guardio says. “Microsoft has Copilot built into Edge. OpenAI is experimenting with a sandboxed browser in ‘agent mode’. And Perplexity’s Comet fully embraces the idea of a browser that browses for you. Searching, reading, shopping, clicking. It’s not just assisting us, but increasingly replacing us.”
In the first test, a fake Walmart online store was spun up. “The site had everything: a clean design, realistic product listings, and a checkout flow good enough to pass a casual glance.” Within the AI browser “the page loads without issue and isn’t blocked by Google Safe Browsing, even though GSB is active in this Chromium-based browser.”
The AI agent was told to buy an Apple Watch and it did exactly that. “It found the Apple Watch, added it to the cart, and, without asking for confirmation, autofilled our saved address and credit card details.” Seconds later “the purchase was complete.” There is no watch, of course, just opportunistic scammers “already spending their money.”
The test didn’t always succeed, sometimes the AI was not fooled — but it was fooled plenty of times. “And when security depends on chance, it’s not security.”
In the second test, the AI browser was directed by a phishing email to a fake Wells Fargo sign-in page. “There was no URL check, no pre-navigation warning, just a direct pass to the attacker’s page. Once the fake Wells Fargo login loaded, the browser treated it as legitimate. It prompted the user to enter credentials, even helping fill in the form.”
The third test expanded on the new prompt injection threat, with these hidden behind a typical ClickFix popup, in this case a Captcha, but one with hidden instructions for the AI agent to ignore what was visible to the human and run a different script instead.
“We don’t try to glitch the model into obedience,” Guardio says. “Instead, we mislead it using techniques borrowed from the human social engineering playbook — appealing directly to its core design goal: to help its human quickly, completely, and without hesitation. We just provide it with the best (manipulating) methods to do so.”
Guardio warns that “in the AI-vs-AI era, scammers don’t need to trick millions of different people; they only need to break one AI model. Once they succeed, the same exploit can be scaled endlessly. And because they have access to the same models, they can “train” their malicious AI against the victim’s AI until the scam works flawlessly.”
ForbesGoogle Issues Emergency Security Update For All Chrome UsersBy Zak Doffman
This works because “security is often an afterthought or delegated entirely to existing tools like Google Safe Browsing, which is, unfortunately, insufficient.” Even the fake Wells Fargo sign-in page, which was “active in the wild for several days,” was “still unflagged by Google Safe Browsing.”
The advice is simple. If you use an AI agent and give it free rein, then change your browser settings to apply Enhanced Protection. If this isn’t available, change your browser. You also need to be careful with browser-based password managers, saved credit card details and autofill. If you allow your AI agent to tap into your security credentials and your financial information, then you’re out on thin ice.
In a world where Google controls the internet, directing us and our AI agents to the websites we visit, then Google’s defenses protect the internet. If they don’t work, then the internet doesn’t work. A rethink is required before it’s too late.
I have reached out to Google for any comments on this new report.