Deep Dive into Architectural Vulnerabilities in Agentic LLM Browsers

Key Takeaways

• Agentic LLM browsers grant high-privilege access to AI agents, bypassing traditional browser sandboxes to perform autonomous actions.
• Attackers can perform 'Agent-jacking' by exploiting XSS vulnerabilities on trusted, whitelisted domains (e.g., perplexity.ai, openai.com) to hijack the AI agent.
• Compromised agents can be weaponized to read local files, access internal network resources, exfiltrate data from other tabs, and send unauthorized emails.
• Data void attacks and indirect prompt injections (e.g., via HTML titles) can manipulate the LLM's logic to execute malicious tools or download payloads.
• System prompts can be extracted, revealing the underlying instructions and operational logic of the agentic browser.

Affected Systems

• Comet (Perplexity)
• OpenAI Atlas
• Microsoft Edge Copilot
• Brave Leo AI
• Chromium-based browsers

Attack Chain

An attacker identifies an XSS vulnerability on a trusted domain (e.g., perplexity.ai or copilot.microsoft.com) that is whitelisted by the agentic browser. Using this trusted context, the attacker executes JavaScript to send messages to the privileged internal browser extension or API (e.g., via chrome.runtime.sendMessage or window.parent.postMessage). The extension, running with elevated permissions like the Chrome DevTools Protocol (debugger), executes the attacker's commands. This allows the attacker to autonomously navigate the browser, exfiltrate sensitive data from other tabs or local files, and perform actions on behalf of the user.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but emphasizes the need for data-aware detection to monitor anomalous file reads, unusual outbound connections, and unexpected access to sensitive data.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can monitor browser processes reading sensitive local files or making unusual network connections, but the internal IPC/Mojo communications and extension activities are largely opaque to standard EDR. Network Visibility: Medium — Network monitoring can detect exfiltration to unknown IPs or unusual WebSocket traffic patterns, but the traffic is often encrypted and originates from the legitimate browser process. Detection Difficulty: Hard — The malicious actions are performed by the legitimate browser process using authorized extensions, making it difficult to distinguish from legitimate user-initiated AI tasks.

Required Log Sources

• Browser extension logs
• Network flow logs
• File access logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for browser processes accessing sensitive local files (e.g., SAM, passwords.txt, SSH keys) without explicit user interaction.	File access logs, EDR process telemetry	Collection	Low
Identify unusual cross-origin messaging or API calls (e.g., window.parent.postMessage) originating from iframes to privileged internal browser pages (e.g., edge://).	Browser developer tools/telemetry	Privilege Escalation	Medium
Monitor for browser processes initiating connections to local network IP addresses (e.g., 192.168.x.x) that are not typical for the user's browsing behavior.	Network flow logs	Discovery	Medium

Control Gaps

• Lack of granular visibility into browser extension IPC/Mojo communications
• Inability to differentiate between user-initiated and AI-initiated browser actions

Key Behavioral Indicators

• Browser process reading local files via file:// URI
• Unexpected WebSocket connections containing raw CDP commands (e.g., LEFT_CLICK, WAIT)

False Positive Assessment

• High

Recommendations

Immediate Mitigation

• Restrict the use of fully autonomous agentic browsers in highly sensitive environments until robust security controls are implemented.
• Ensure browsers and their integrated AI extensions are kept up to date to patch known prompt injection and XSS vulnerabilities.

Infrastructure Hardening

• Implement strict network segmentation to prevent browsers from accessing internal management interfaces (e.g., router logins) unless explicitly required.
• Deploy Data Loss Prevention (DLP) solutions to monitor and block the exfiltration of sensitive data from browser processes.

User Protection

• Educate users on the risks of interacting with untrusted content using agentic browsers.
• Disable unnecessary browser extensions and restrict permissions for required ones.

Security Awareness

• Train security teams on the novel attack vectors introduced by LLM-integrated browsers, such as indirect prompt injection and agent-jacking.

MITRE ATT&CK Mapping

• T1189 - Drive-by Compromise
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1566 - Phishing
• T1213 - Data from Information Repositories
• T1005 - Data from Local System
• T1185 - Browser Session Hijacking

Additional IOCs

• Ips:
  • 89[.]139[.]128[.]145 - Attacker server IP used in the PoC for indirect prompt injection via HTML title.
• Domains:
  • gordonvillefc[.]com - Domain used in the data void and malicious download PoC.
  • israelcentral[.]cloudapp[.]azure[.]com - Azure domain used in the PoC for indirect prompt injection.
• Urls:
  • comet://extensions/ - Comet internal extensions page.
  • brave://leo-ai - Brave Leo AI internal interface.
  • chrome://serviceworker-internals - Internal Chromium page used to expose and debug internal extensions.
• File Paths:
  • C:\Users\Itay\package-lock.json - Local file read during the PoC using the Comet GetContent tool.