Threat Research

Deep Dive into Architectural Vulnerabilities in Agentic LLM Browsers

Varonis
Deep Dive into Architectural Vulnerabilities in Agentic LLM Browsers
Since the introduction of LLM-powered agentic browsers, researchers at Varonis Threat Labs have shown that embedding autonomous AI agents in browsers creates new high-privilege attack surfaces that convert standard web flaws into full browser takeovers. The analysis highlights concrete abuse paths (XSS, agentic CSRF, IPC/Mojo bridge compromises, data-voids, and indirect prompt injection) across implementations such as Comet (Perplexity), OpenAI Atlas, Microsoft Edge Copilot, and Brave Leo. #Comet #OpenAI

Keypoints

  • Agentic LLM browsers embed autonomous AI agents that can navigate, interact with pages, and execute multi-step workflows, creating a super-privileged control path distinct from traditional browser sandboxes.
  • Different implementations (Comet/Perplexity, OpenAI Atlas, Edge Copilot, Brave Leo) use distinct architectures—privileged extensions, IPC/Mojo bridges, or native integrations—each with unique attack surfaces.
  • Comet uses force-installed privileged extensions (service worker + content scripts) and chrome.runtime.sendMessage to bridge remote backends with Chrome DevTools Protocol (debugger permission), enabling full programmatic control of the browser.
  • The primary attack vector is “agent-jacking”: compromising a trusted/whitelisted origin (via XSS, DNS spoofing, subdomain takeover, or RCE) to send commands directly to the privileged agent and hijack browser authority.
  • Specific abuses include unauthorized navigation, continuous page scraping for real-time spying, local file and internal network exfiltration (file:// URIs, SSRF), silent downloads of malware, impersonation (unauthorized emails/transactions), and data-void manipulation.
  • Mitigations such as Comet’s local_search_enabled flag and origin allow-lists reduce risk, but IPC design, force-installed extensions, and agent toolsets create systemic paradoxes where functionality requires crossing long-standing security boundaries.
  • New logic-targeting attacks—indirect prompt injection via page content and system prompt extraction—threaten the agent’s decision layer and enable attackers to manipulate or disclose core agent instructions.

MITRE Techniques

  • [T1190 ] Cross-Site Scripting (XSS) – Used to gain execution on trusted/whitelisted domains and send commands to privileged agent bridges; quote: ‘A standard vulnerability like XSS can now escalate from merely stealing a cookie to fully hijacking the agent itself.’
  • [T1190 ] Remote Code Execution / Exploit Public-Facing Application – Exploiting vulnerabilities on authorized domains (RCE or other exploits) to commandeer IPC/Mojo channels and control the OWL host or extension; quote: ‘Any vulnerability that allows an adversary to impersonate or control a trusted domain including DNS spoofing, subdomain takeovers, or Remote Code Execution (RCE) serves as a master key to the browser’s high-privilege bridge.’
  • [T1005 ] Data from Local System – Agentic tools can be tricked to navigate to local file URIs and read disk content (local file exfiltration); quote: ‘navigating to a local file URI (e.g., file:///C:/passwords.txt)… these tools could retrieve raw data from disk.’
  • [T1041 ] Exfiltration Over C2 Channel (Web exfiltration) – Compromised agents can continuously capture page content or send stolen data to attacker-controlled servers; quote: ‘capture that content and exfiltrate it to the attacker’s server.’
  • [T1566 ] Phishing / Impersonation – Agent-driven impersonation and unauthorized actions (sending emails or performing transactions) by poisoning the agent context; quote: ‘Impersonation: Launching the agent with a “poisoned” context to perform financial transactions or send emails on the user’s behalf.’
  • [T1198 ] Cross-Site Request Forgery (agentic CSRF) – URL- or referrer-based triggers (q= parameters) can be used to attempt unauthorized agent actions, prompting defenses like Comet’s local_search_enabled; quote: ‘this can introduce a CSRF-like risk… Comet treats this as an “agentic CSRF” scenario.’
  • [T1530 ] Subdomain Takeover / DNS Spoofing (Domain Takeover) – Domain ownership or DNS manipulation that lets attackers control whitelisted origins and thus the agent bridge; quote: ‘An attacker who gains execution on a domain like perplexity.ai, openai.com, or copilot.microsoft.com can bypass the LLM’s reasoning layer entirely.’

Indicators of Compromise

  • [Domain ] trusted/whitelisted backends and UIs – perplexity.ai, copilot.microsoft.com (used as privileged origins that can send commands to extensions/hosts)
  • [Internal/Browser URLs ] privileged internal pages and debug interfaces – edge://discover-chat-v2, chrome://serviceworker-internals, brave://leo-ai (expose internal extension/tooling and IPC surfaces)
  • [File URI ] local file access attempts – file:///C:/passwords.txt (example used to demonstrate local file exfiltration capability)
  • [Search/URL parameters ] agentic CSRF vectors – https://www.perplexity.ai/search/new?q=… (q= parameter example that can be used to inject agent prompts)
  • [Repository/Content ] sensitive content sources targeted for exfiltration – private GitHub repository (used in simulations to demonstrate live content capture and exfiltration)

Read more: https://www.varonis.com/blog/architectural-vulnerabilities-in-agentic-llm-browsers