PALO ALTO, Calif., Oct. 9, 2025 /PRNewswire/ — As AI Browsers rapidly gain adoption across enterprises, SquareX has released critical security research exposing major vulnerabilities that could allow attackers to exploit AI Browsers to exfiltrate sensitive data, distribute malware and gain unauthorized access to enterprise SaaS apps. The timing of this disclosure is particularly significant as major companies including OpenAI, Microsoft, Google and The Browser Company have announced or released their own AI browsers. With Chrome and Edge alone representing 70% of the browser market share, it is very likely that the majority of consumer browsers in the future will be AI Browsers. Thus, it is critical for organizations to prepare for these security risks associated with this fundamental change.
“Just like any AI Agent, AI Browsers are trained to complete tasks, not to be security aware. This makes it trivial for attackers to trick browsers like Comet into performing malicious tasks, by convincing them that it is a necessary part of the workflow they are completing,” warns Vivek Ramachandran, Founder of SquareX, “With two major consumer browsers publicly announcing their entry to the AI Browser race, it is inevitable that AI Browsers will be the primary way we interact with the internet in the future. Without the right browser-native solution that can implement guardrails on these AI Browsers that take into account agentic identity and agentic DLP, millions of users will be at risk.”
In the technical blog, SquareX discloses a few ways Comet was exploited, illustrating each with case studies. In one example, in completing a research task, Comet fell prey to an OAuth attack, providing attackers with full access to the victim’s email and Google Drive. This allowed attackers to exfiltrate every file stored on the victim’s account, including those shared by colleagues and customers. In another, the AI browser was completing tasks in the user’s inbox – a common use case advertised by Comet itself – when it ended up distributing a malicious link to the victim’s colleague through a calendar invite. Other examples include tricking Comet into downloading known malwares and emailing sensitive files to attackers.
Unfortunately, existing solutions like EDRs and SASE/SSE have limited visibility into browsers. Today, there is no way to differentiate between activities performed by a user or Comet, as both network requests originate from the same browser. Thus, it is critical that enterprises have a browser-native solution that can differentiate between agentic and user identities, allowing them to apply differentiated guardrails on the data and actions that the AI browser can access or perform.
