Trail of Bits Blog
Follow
Lack of isolation in agentic browsers resurfaces old vulnerabilities
Agentic browsers, with embedded AI agents, reintroduce web security vulnerabilities due to inadequate isolation. These browsers give AI agents access to sensitive user data, similar to traditional browser vulnerabilities like XSS and CSRF. The study identifies four trust zones: chat context, third-party servers, browsing origins, and the external network, and four violation classes: INJECTION, CTX_IN, REV_CTX_IN, and CTX_OUT. Exploits are demonstrated by combining these violations, leading to data exfiltration and session confusion. Manipulation attacks were successful in controlling the agent's behavior and output, including spreading false information. Data exfiltration attacks were also achieved by stealing user data using prompt injection and exfiltration mechanisms. Similar to reflected XSS, prompt injections can be used to alter the normal content or the agent's output. The research highlights the potential for complete browser compromise due to lagging security updates. A critical recommendation is to extend the Same-Origin Policy to secure agentic browsers. The attacks demonstrate the need for robust security measures in agentic browsers.
