Agentic Browsers Resurrect Decades-Old Web Vulnerabilities, Researchers Warn

Trail of Bits researchers have uncovered a fundamental security flaw in the architecture of modern agentic browsers — AI-powered tools that act on behalf of users within the browser environment. In a detailed analysis published Tuesday, the researchers demonstrated that the lack of proper trust-zone isolation in these systems enables attacks that are functionally identical to cross-site scripting (XSS) and cross-site request forgery (CSRF), effectively resurrecting decades-old vulnerability patterns that the web security community spent years building defenses against.

The root cause, according to the researchers, is inadequate isolation between four key trust zones: the chat context where the AI agent maintains its state and conversation history; third-party LLM servers that process user data; browsing origins representing each website the user visits; and the external network, including attacker-controlled servers. In a typical agentic browser, tools that fetch web pages, read files, access browsing history, or make HTTP requests create data flows between these zones without adequate controls, enabling a range of attacks.

The researchers identified four classes of trust zone violations that serve as primitives for constructing more sophisticated exploits. INJECTION allows arbitrary data to be added to the chat context through untrusted vectors, exploiting the well-known inability of LLMs to distinguish between data and instructions — the fundamental mechanism behind prompt injection attacks. CTX_IN adds sensitive data from browsing origins into the chat context, which can then be sent to third-party LLM servers. REV_CTX_IN updates browsing origins using data from the chat context, and CTX_OUT uses data from the chat context in external requests, creating side channels for data exfiltration.

When combined, these violations enable serious attacks. INJECTION alone can implant false information in the chat history, potentially influencing user decisions. The combination of INJECTION and CTX_OUT leaks chat data to attacker-controlled servers. Adding CTX_IN — which includes tools that retrieve sensitive user data like bank account information or healthcare records — enables complete data exfiltration. The researchers also demonstrated session confusion attacks that could allow an attacker to hijack authenticated sessions.

The researchers noted that many agentic browsers run on Chromium builds that are weeks or months behind on security patches, compounding the risk. This means prompt injection attacks can be chained with browser exploitation vulnerabilities, escalating from AI manipulation to full browser compromise. "These aren't theoretical concerns," the researchers wrote, though they declined to name specific products because the affected vendors declined coordinated disclosure, stating that the architectural flaws affect agentic browsers broadly.

As an immediate mitigation, the researchers recommend that developers of agentic browsers extend the Same-Origin Policy to AI agents, building on proven principles that successfully secured the web. They also suggest implementing proper trust-zone separation, limiting the tools available to agents, and ensuring that sensitive data never leaves the user's control without explicit user consent. The findings highlight a critical gap in the security of AI-integrated browsing tools, which are increasingly being adopted for tasks ranging from automated form filling to complex multi-step workflows.

The research underscores a broader pattern: as AI agents are rapidly bolted onto existing software ecosystems, fundamental security principles are being overlooked. "With browser-embedded AI agents, we're essentially starting the security journey over again," the researchers warned, calling for the industry to learn from the hard-won lessons of web security rather than repeating the same mistakes.