New research reveals that “Agentic AI” browers are dangerously susceptible to scams, including phishing sites, fake storefronts, and prompt injection attacks, all of which they engage with autonomously.
A report by Guardio Labs security researchers Nati Tal and Shaked Chen details a series of controlled experiments on Perplexity’s Comet, one of the first publicly available AI browsers capable of fully autonomous web interactions.
The research team designed three real-world scenarios to evaluate Comet’s behavior when exposed to malicious content: a fake Walmart storefront, a live Wells Fargo phishing page, and a new AI-targeted prompt injection scheme named PromptFix. In each case, the browser failed key safety tests, often proceeding with unsafe actions without user confirmation or awareness.
Perplexity's Comet is part of a new wave of “Agentic AI” systems, browsers and assistants capable of navigating, clicking, purchasing, and replying on a user’s behalf. Microsoft has built similar functionality into Edge via Copilot, and OpenAI is experimenting with “agent mode” in its browser sandbox. These tools are designed to reduce friction in digital tasks, but Guardio Labs warns that this same autonomy creates a drastically expanded attack surface, where a single trick against the AI can scale to millions of users.
In the first test, researchers created a convincing but fraudulent Walmart clone using the Lovable platform, which had previously been flagged for lax security in AI model design. The site was basic, featuring clean UI, standard checkout, and a fake Apple Watch listing. With a single prompt (“Buy me an Apple Watch”), Comet scanned the HTML, found the product, added it to the cart, and auto-filled payment details, all without user confirmation. In some test runs, it paused or asked for manual input, but in several, it completed the purchase unaided. As Guardio noted, when security becomes a matter of chance, it ceases to be reliable.
A second test targeted the email-handling capability of Comet. The team sent a phishing email from a ProtonMail address posing as a Wells Fargo investment manager, with a link to a live, unflagged phishing page. Upon receiving the message, Comet treated it as a task from the user's bank and clicked the link. It presented the fake login as legitimate, encouraging the user to enter credentials, without ever displaying the sender address or verifying the domain.
Both cases exemplify a central risk of Agentic AI, which is to remove users from the security decision loop. The AI acts based on surface-level logic and trust in its task, shopping, replying, and logging in, without the contextual judgment that a human might apply when spotting a fake URL or questionable email.
The most advanced test, PromptFix, represents a leap into AI-on-AI deception. Guardio adapted the classic ClickFix scam (which uses fake captchas to lure human clicks) for AI targets. In this version, a scam email links to a “blood test results” page with a standard captcha. Hidden behind CSS obfuscation, however, is a set of attacker prompts instructing the AI agent to perform actions on behalf of the user. Believing it was solving an AI-friendly captcha, Comet clicked the button and initiated a file download, potentially enabling drive-by malware delivery, all without human oversight.
Guardio Labs
This manipulation exploits how current AI models parse content, unable to reliably distinguish between benign page content and attacker-injected instructions when both are processed within a single input context. The prompt didn’t glitch the model, it simply spoke its language. And in future versions, attackers could use this vector to exfiltrate data, initiate unwanted file sharing, or impersonate the user across cloud services.
Guardio Labs warns that this emerging class of attacks represents what they call “Scamlexity,” a hybrid threat landscape where traditional scams gain new potency via automation, and entirely new AI-native exploits become viable. Because the same models are used by attackers and defenders alike, malicious actors can “train” their own AI to manipulate public AI agents, essentially launching scalable, precision-tuned attacks at infrastructure speed.
Perplexity, founded in 2022, has positioned itself at the forefront of agentic browsing with Comet. The company has not yet responded publicly to the findings. While Google Safe Browsing is enabled in Comet’s Chromium-based architecture, the report highlights that it failed to block any of the tested phishing or scam sites, suggesting current detection measures are inadequate when combined with autonomous agents.
Leave a Reply