Fill out the form to request an enterprise pilot. For direct inquiries, please email founder@sqrx.com.
Browser AI agents are softwares that can interact with the web and perform actions on the user's behalf. Some popular browser agents include OpenAI's Operator, Claude's Computer Use and the popular open source browser agent framework called Browser Use.
These Browser AI Agents allow users to automate a variety of multi-step tasks on the internet, from scheduling meetings and managing inboxes to booking flights and researching the Top 10 TV shows to look out for.
To understand why Browser AI Agents are the new weakest link, one must grasp two fundamental truths about these agents:
First, they are trained to complete tasks, not to be security aware. The primary objective of Browser AI Agents is to interpret and perform actions based on the user's instructions as efficiently and accurately as possible, even if certain steps may expose them to security risks. Unlike employees, they do not receive regular security training on identifying malicious behaviour and the latest threat vectors. Additionally, the employees behind these agents are likely not security aware enough to provide the necessary security guardrails in these prompts.
Second, the Browser AI Agents are performing actions on the user's behalf, with the same privilege level as the user, frequently with access to the user's identity, enterprise apps and company data that the employee is granted access to. As a result, there is no way for the browser or service provider to differentiate between the actions performed by the user and the Browser AI Agents.
In other words, not only do these agents have the same level of access as employees, they have poorer security awareness than an average employee. This makes them especially susceptible to any attack designed to target employees, allowing attackers to recycle many of their "basic" attack campaigns that no longer work on many employees.
To illustrate this, below are two case studies of Browser AI Agents falling prey to a simple phishing and OAuth attacks, despite the many malicious indicators throughout the workflow. Both demos were done with Browser Use, the popular open source Browser AI Agent framework used by thousands of organizations today.
Browser AI Agent Developers like OpenAI and Anthropic should train their models to be more security aware. Beyond avoiding prompt injection, these Browser AI Agents should be trained to recognize and avoid common web-based attacks such as spearphising and malvertising. However, due to the lack of well labelled public datasets and the quickly evolving threat landscape, it is unlikely that the efforts from Browser AI Agent developers will be sufficient.
Today, browsers are unable to distinguish between an action performed by a real user and a Browser AI Agent. Browser vendors such as Chrome, Safari and Firefox should develop ways to make this distinction, potentially to limit or implement stricter guardrails on the actions that Browser AI Agent can perform.
Before browser vendors successfully make this distinction, it is critical for any enterprises that use Browser AI Agents to adopt browser-native tools that can prevent browser-native threats from tricking these agents into malicious activities. For instance, using the example from this blog, SquareX's Browser Detection and Response can block risky OAuth permissions from being granted to non-whitelisted sites.
Eventually, it will also be critical for identity providers (IDPs) such as Okta and Ping Identity to recognize different Browser AI Agent identities associated with each user's identities. This will allow granular policies to be implemented on what each Browser AI Agent can perform on the user's behalf.
SquareX's extension turns any browser on any device into an enterprise-grade secure browser. SquareX is the only solution that combines all three key components of browser security in a single platform:
The lightweight browser extension that is compatible with all major popular browsers including Chrome, Edge, Safari and Firefox and can be easily deployed across both managed and unmanaged devices.