Inside the Agentic Browser: How AI-Powered Browsers Are Opening Doors to Silent Data Heists

It was supposed to be the next leap in productivity: browsers powered by large language models (LLMs) that could surf, click, and summarize the web for us. But as these “agentic browsers” like Perplexity Comet, OpenAI Atlas, Edge Copilot, and Brave Leo evolve, security researchers warn they are also quietly rewriting the rules of browser hacking - turning old web bugs into full-blown, AI-fueled compromise channels.

Agentic browsers promise to take the drudgery out of the web - navigating, filling out forms, and gathering information with a simple prompt. Under the hood, though, these tools require deep hooks into the browser’s core, exposing privileged APIs through extensions or inter-process communication (IPC). This lets the AI act almost like a human user, but it also puts dangerous power within reach of anyone who can exploit a bug.

Recent findings by Varonis Threat Labs reveal that a vulnerability as old as Cross-Site Scripting (XSS) can now escalate far beyond its original impact. In Perplexity’s Comet, for example, an attacker who exploits XSS on any trusted site can directly send commands to the browser’s AI agent, triggering actions like reading other tabs, clicking through interfaces, or sending emails - without the user’s knowledge. The attack surface grows exponentially, as a single misconfiguration or overlooked permission can hand over the keys to the AI’s control plane.

OpenAI’s Atlas faces similar risks. If XSS occurs on a trusted OpenAI domain, attackers may access low-level browser controls, bypassing the usual AI guardrails and taking direct command of the browser engine. Even Edge Copilot and Brave Leo, which implement stricter message origin checks and limit agentic features, are forced to walk a fine line between usability and security.

To defend against these threats, some browsers are introducing new safeguards - like Comet’s “local_search_enabled” flag, which tries to limit agentic actions when requests come from suspicious sources. Atlas uses sandboxing to contain agent-generated input. Brave sidesteps many of these risks by keeping its AI non-agentic and loading its UI from internal resources. But researchers caution that these are partial fixes at best: the core paradox remains that for agentic browsers to be truly helpful, they must break the very boundaries that browsers have spent years enforcing.

As browser-based AIs take on more responsibility, a single overlooked bug or clever prompt injection could quietly hand over your entire online session - and all your data - to an attacker. The convenience of agentic browsing comes at a hidden cost. For users and developers alike, the message is clear: in the age of AI, browser security is being rewritten, and the stakes have never been higher.

WIKICROOK

• Agentic Browser: An agentic browser uses AI to autonomously perform online tasks and make decisions for users, streamlining web interactions and boosting productivity.
• Cross: Cross-Site Scripting (XSS) is a cyberattack where hackers inject malicious code into websites to steal user data or hijack sessions.
• Prompt Injection: Prompt injection is when attackers feed harmful input to an AI, causing it to act in unintended or dangerous ways, often bypassing normal safeguards.
• Inter: Inter-process communications involve data exchange between software processes on the same device. Securing IPC is crucial to prevent unauthorized access and attacks.
• Session Hijacking: Session hijacking is when an attacker steals or mimics a user's session to gain unauthorized access and act as that user online.