Browser AI Agents: The New "Weakest Link"


Today, 79% of organizations use Browser AI Agent in their daily work. Yet, the adoption of Browser AI Agents comes with a massive security risk that remains significantly understudied. Most Browser AI Agents are trained to complete tasks, often without taking into account the security implications, making them even more prone to phishing, credential stealing and identity attacks than a regular employee.

In other words, employees are no longer the weakest link in an organization - Browser AI Agents are.
Browser AI Agents Weakest Link

See How SquareX's Browser Detection and Response (BDR) solution prevents browser-native threats from tricking AI agents into malicious activities

Fill out the form to request an enterprise pilot. For direct inquiries, please email founder@sqrx.com.

What Are Browser AI Agents?

Browser AI agents are softwares that can interact with the web and perform actions on the user's behalf. Some popular browser agents include OpenAI's Operator, Claude's Computer Use and the popular open source browser agent framework called Browser Use.


These Browser AI Agents allow users to automate a variety of multi-step tasks on the internet, from scheduling meetings and managing inboxes to booking flights and researching the Top 10 TV shows to look out for.

Exploiting Browser Agents

To understand why Browser AI Agents are the new weakest link, one must grasp two fundamental truths about these agents:

First, they are trained to complete tasks, not to be security aware. The primary objective of Browser AI Agents is to interpret and perform actions based on the user's instructions as efficiently and accurately as possible, even if certain steps may expose them to security risks. Unlike employees, they do not receive regular security training on identifying malicious behaviour and the latest threat vectors. Additionally, the employees behind these agents are likely not security aware enough to provide the necessary security guardrails in these prompts.

Second, the Browser AI Agents are performing actions on the user's behalf, with the same privilege level as the user, frequently with access to the user's identity, enterprise apps and company data that the employee is granted access to. As a result, there is no way for the browser or service provider to differentiate between the actions performed by the user and the Browser AI Agents.

In other words, not only do these agents have the same level of access as employees, they have poorer security awareness than an average employee. This makes them especially susceptible to any attack designed to target employees, allowing attackers to recycle many of their "basic" attack campaigns that no longer work on many employees.

Case Studies

To illustrate this, below are two case studies of Browser AI Agents falling prey to a simple phishing and OAuth attacks, despite the many malicious indicators throughout the workflow. Both demos were done with Browser Use, the popular open source Browser AI Agent framework used by thousands of organizations today.

Exploiting Browser AI Agents with Phishing Attacks

Here, the Browser AI Agent was tasked to login to Salesforce and complete a task. However, it enters the user’s credentials on a phishing site impersonating Salesforce during the process.

Exploiting Browser AI Agents with OAuth Attacks

In this example, a Browser AI Agent tasked to perform a research task falls prey to an OAuth attack, providing attackers with full access to the user’s Google Drive.

Securing Browser AI Agents

Browser AI Agent Developers

Browser AI Agent Developers like OpenAI and Anthropic should train their models to be more security aware. Beyond avoiding prompt injection, these Browser AI Agents should be trained to recognize and avoid common web-based attacks such as spearphising and malvertising. However, due to the lack of well labelled public datasets and the quickly evolving threat landscape, it is unlikely that the efforts from Browser AI Agent developers will be sufficient.

Browser Vendors

Today, browsers are unable to distinguish between an action performed by a real user and a Browser AI Agent. Browser vendors such as Chrome, Safari and Firefox should develop ways to make this distinction, potentially to limit or implement stricter guardrails on the actions that Browser AI Agent can perform.

Enterprises

Before browser vendors successfully make this distinction, it is critical for any enterprises that use Browser AI Agents to adopt browser-native tools that can prevent browser-native threats from tricking these agents into malicious activities. For instance, using the example from this blog, SquareX's Browser Detection and Response can block risky OAuth permissions from being granted to non-whitelisted sites.

Identity Providers

Eventually, it will also be critical for identity providers (IDPs) such as Okta and Ping Identity to recognize different Browser AI Agent identities associated with each user's identities. This will allow granular policies to be implemented on what each Browser AI Agent can perform on the user's behalf.

The SquareX Solution

SquareX's extension turns any browser on any device into an enterprise-grade secure browser. SquareX is the only solution that combines all three key components of browser security in a single platform:

  • Browser Detection and Response to detect & mitigate web attacks including identity attacks, malicious extensions advanced spearphishing attacks and malicious files
  • Enterprise browser to provide secure access to enterprise apps including VDI reduction, BYOD, 3rd party contractors and remote workers
  • Browser DLP including GenAI DLP, clipboard DLP, file DLP, insider attacks and data exfiltration attacks

The lightweight browser extension that is compatible with all major popular browsers including Chrome, Edge, Safari and Firefox and can be easily deployed across both managed and unmanaged devices.