AI Browsers Can Now Be Phished in Under Four Minutes — Here Is How Attackers Are Training Scams Against Your AI Assistant

My colleague Greg sent me a Guardio research paper at 7 AM this morning with the message: "We need to rethink everything about browser security."

I thought he was being dramatic. Then I read it. He wasn't.

Security researchers at Guardio Labs have demonstrated that they can trick Perplexity's Comet AI browser — one of the most popular agentic browsers on the market — into falling for a phishing scam in under four minutes. Not by targeting the user. By targeting the AI itself.

And the technique they used? It's trainable, repeatable, and works on every user of the same browser. Let me walk you through exactly how it works and why it matters.

Photo by Tima Miroshnichenko via Pexels

What Is an Agentic Browser, and Why Should You Care?

First, some context. Agentic browsers are a new category of web browser that use AI to autonomously perform tasks on your behalf. Instead of you clicking through websites, filling out forms, and comparing prices, you tell the AI what you want and it does it — navigating pages, reading content, entering information, and making decisions along the way.

Perplexity's Comet, launched in late 2025, is among the most prominent. It can book travel, shop for products, fill out applications, and handle complex multi-step web tasks with minimal human intervention.

The problem, as Guardio discovered, is that these AI browsers have a fatal habit: they think out loud.

The Vulnerability: "Agentic Blabbering"

Guardio's researchers, led by security researcher Shaked Chen, identified what they call "Agentic Blabbering" — the tendency of AI browsers to verbosely narrate their decision-making process. As the AI navigates web pages, it continuously logs:

What it sees on the page. What it believes is happening. What it plans to do next. What signals it considers suspicious. And — crucially — what signals it considers safe.

This narration happens in the traffic between the browser and the AI vendor's servers. And it's interceptable.

"The AI blabbers about everything," Chen wrote. "That's not just an annoyance — it's a training signal for attackers."

My friend Rachel, who runs penetration testing at a financial services firm, put it more bluntly: "It's like a security guard who narrates every decision out loud. 'This person looks suspicious because of the badge. This person looks safe because of the uniform.' Now every attacker knows: wear the uniform."

How the Attack Actually Works — Step by Step

Here's the attack chain, broken down:

Step 1: Intercept the AI's reasoning. The attacker sets up a malicious web page and directs the AI browser to it (through a phishing email, malicious ad, or poisoned search result — the usual vectors). As the AI processes the page, its reasoning traffic flows between the browser and the vendor's servers. The attacker captures this traffic.

Step 2: Feed the reasoning into a GAN. A Generative Adversarial Network (GAN) — essentially two AI models in a feedback loop, one generating content and one evaluating it — uses the captured reasoning as training data. The GAN learns exactly what makes the AI browser suspicious and what makes it feel safe.

Step 3: Iteratively refine the phishing page. The GAN generates increasingly convincing phishing pages, testing each one against the AI browser's reasoning. Every time the AI flags something as suspicious, the GAN adjusts. Every time the AI proceeds without warning, the GAN notes what worked.

Step 4: Deploy the perfected scam. After enough iterations (Guardio achieved success in under four minutes), the phishing page is optimized to bypass the AI browser's defenses completely. The AI confidently proceeds with the attacker's instructions — entering credentials, confirming payments, or sharing sensitive data.

The devastating part: once a scam is optimized against a specific AI browser model, it works against every user of that browser. The attack targets the model, not the individual. One successful training run, millions of potential victims.

This Isn't the First Warning Sign

Guardio's research builds on two previous techniques:

VibeScamming (April 2025) demonstrated that vibe-coding platforms could be manipulated into generating complete scam websites.

Scamlexity (August 2025) showed that AI browsers could be tricked through hidden prompt injections embedded in web pages.

Trail of Bits independently demonstrated four separate prompt injection techniques against Comet that could extract private user data from services like Gmail. The attackers didn't need to hack Gmail — they hacked the AI's reading of Gmail.

Greg's assessment after reading the full paper: "We've built tools that are smarter than most users but more exploitable than a basic web form. That's not progress."

I wouldn't go that far. But I also wouldn't disagree.

What You Should Do Right Now

If you're using an agentic AI browser — Comet, Arc's AI features, or any similar tool — here are immediate steps:

1. Never let AI browsers handle sensitive actions unsupervised. If the browser is about to enter credentials, confirm a payment, or submit personal data, require manual confirmation. Most agentic browsers have settings for this. Turn them on.

2. Keep sensitive activities in a separate browser. Use your AI browser for research, shopping comparison, and content browsing. Use a standard browser (Firefox, Brave, or Chrome without AI plugins) for banking, email, and anything involving credentials.

3. Watch for unusual behavior. If your AI browser suddenly seems more confident about a page than it should be ("This refund page looks legitimate!"), that's potentially a red flag. The scam is designed to make the AI not warn you.

4. Enable transaction alerts on all financial accounts. If an AI browser does get tricked into authorizing something, you want to know immediately. Set up push notifications for every transaction over $0.

5. Update your browser regularly. Perplexity and other vendors are aware of this research and are working on mitigations. Updates will include improvements to how the AI reasons and how much of that reasoning is exposed in traffic.

The Uncomfortable Implication

The security model of the entire web was built around one assumption: the human is the decision-maker. Phishing works because humans can be deceived. Security training exists because humans make mistakes.

AI browsers break this assumption. Now the decision-maker is a language model — one that's potentially more consistent than a human but also more predictable. And predictability, in security, is a vulnerability.

"Scams will not just be launched and adjusted in the wild," Guardio concluded in their report. "They will be trained offline, against the exact model millions rely on, until they work flawlessly on first contact."

Read that sentence again. This is AI-versus-AI warfare, and right now, the attackers have a structural advantage: they can see how the defender thinks.

Rachel's final word: "The arms race just got automated. And we're not ready."

She's right. But at least now you know what's coming.