SquareX Shows AI Browsers Fall Prey to OAuth Attacks, Malware Downloads and Malicious Link Distribution

As AI Browsers rapidly gain adoption across enterprises, SquareX has released critical security research exposing major vulnerabilities that could allow attackers to exploit AI Browsers to exfiltrate sensitive data, distribute malware, and gain unauthorized access to enterprise SaaS apps. The timing of this disclosure is particularly significant as major companies including OpenAI, Microsoft, Google, and The Browser Company have announced or released their own AI browsers. With Chrome and Edge alone representing 70% of the browser market share, it is very likely that the majority of consumer browsers in the future will be AI Browsers. Thus, it is critical for organizations to prepare for these security risks associated with this fundamental change.

In the technical blog, SquareX discloses a few ways Comet was exploited, illustrating each with case studies. In one example, in completing a research task, Comet fell prey to an “OAuth attack”, providing attackers with full access to the victim’s email and Google Drive. This allowed attackers to exfiltrate every file stored on the victim’s account, including those shared by colleagues and customers. In another, the AI browser was completing tasks in the user’s inbox – a common use case advertised by Comet itself – when it ended up distributing a malicious link to the victim’s colleague through a calendar invite. Other examples include tricking Comet into downloading known malware and emailing sensitive files to attackers.

Unfortunately, existing solutions like EDRs and SASE/SSE have limited visibility into browsers. Today, there is no way to differentiate between activities performed by a user or Comet, as both network requests originate from the same browser. Thus, it is critical that enterprises have a browser-native solution that can differentiate between agentic and user identities, allowing them to apply differentiated guardrails on the data and actions that the AI browser can access or perform.

To read the complete article see: Full Article