Agentic LLM Browsers Vulnerable to Prompt Injection and Data Theft

Severity: High (Score: 66.8)

Sources: www.varonis.com, Gbhackers, Cybersecuritynews

Summary

Agentic LLM browsers, which automate user tasks by reading and interacting with web content, have introduced significant security risks related to prompt injection and data theft. These browsers, including Perplexity Comet, OpenAI Atlas, Edge Copilot, and Brave Leo, operate with elevated permissions that can be exploited if an attacker gains access to trusted domains. Vulnerabilities arise from various attack vectors such as XSS, subdomain takeover, and backend RCE, allowing attackers to bypass security measures and directly manipulate browser APIs. The integration of AI in these browsers increases the potential for unauthorized data access and exfiltration, as the agent operates with the user's cookies and permissions. This situation poses a critical risk to users, as it can lead to cross-tab data theft and impersonation actions. Varonis Threat Labs has highlighted these vulnerabilities, emphasizing the urgent need for awareness and mitigation strategies. Key Points: • Agentic LLM browsers automate tasks but expose users to prompt injection risks. • Attackers can exploit trusted domains to bypass security and access sensitive data. • Current architectures of these browsers increase the potential for unauthorized actions.

Key Entities

• MuddyWater (apt_group)
• Data Breach (attack_type)
• Malware (attack_type)
• Zero-day Exploit (attack_type)
• Startagent (campaign)
• openai.com (domain)
• Perplexity.ai (platform)
• Chromium (platform)
• Mojo IPC (platform)
• Swift (platform)
• WebSocket (platform)
• Remcos (malware)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1189 - Drive-by Compromise (mitre_attack)