Table of Contents
Fetching ...

The Hidden Dangers of Browsing AI Agents

Mykyta Mudryi, Markiyan Chaklosh, Grzegorz Wójcik

TL;DR

The paper analyzes the security of autonomous browsing agents that leverage large language models, introducing an end-to-end threat model and a defense-in-depth framework. Using Browser Use as a white-box case study, it demonstrates vulnerabilities such as prompt injection, domain validation bypass, and credential exfiltration, and proposes multi-layer mitigations spanning input handling, architectural isolation, formal analyzers, and post-exploitation resilience. It emphasizes cross-layer risk assessment via the MAESTRO framework to cover perception, reasoning, planning, and tool execution across deployment, observability, and ecosystem layers. The work provides practical guidance for preventing initial access and limiting post-exploitation impact, with a focus on secure design, testing, and responsible disclosure to improve real-world deployment safety. Overall, it highlights that robust security for browsing agents requires defense-in-depth, formal verification, and continuous red-teaming to safely harness their automation potential.

Abstract

Autonomous browsing agents powered by large language models (LLMs) are increasingly used to automate web-based tasks. However, their reliance on dynamic content, tool execution, and user-provided data exposes them to a broad attack surface. This paper presents a comprehensive security evaluation of such agents, focusing on systemic vulnerabilities across multiple architectural layers. Our work outlines the first end-to-end threat model for browsing agents and provides actionable guidance for securing their deployment in real-world environments. To address discovered threats, we propose a defense in depth strategy incorporating input sanitization, planner executor isolation, formal analyzers, and session safeguards. These measures protect against both initial access and post exploitation attack vectors. Through a white box analysis of a popular open source project, Browser Use, we demonstrate how untrusted web content can hijack agent behavior and lead to critical security breaches. Our findings include prompt injection, domain validation bypass, and credential exfiltration, evidenced by a disclosed CVE and a working proof of concept exploit.

The Hidden Dangers of Browsing AI Agents

TL;DR

The paper analyzes the security of autonomous browsing agents that leverage large language models, introducing an end-to-end threat model and a defense-in-depth framework. Using Browser Use as a white-box case study, it demonstrates vulnerabilities such as prompt injection, domain validation bypass, and credential exfiltration, and proposes multi-layer mitigations spanning input handling, architectural isolation, formal analyzers, and post-exploitation resilience. It emphasizes cross-layer risk assessment via the MAESTRO framework to cover perception, reasoning, planning, and tool execution across deployment, observability, and ecosystem layers. The work provides practical guidance for preventing initial access and limiting post-exploitation impact, with a focus on secure design, testing, and responsible disclosure to improve real-world deployment safety. Overall, it highlights that robust security for browsing agents requires defense-in-depth, formal verification, and continuous red-teaming to safely harness their automation potential.

Abstract

Autonomous browsing agents powered by large language models (LLMs) are increasingly used to automate web-based tasks. However, their reliance on dynamic content, tool execution, and user-provided data exposes them to a broad attack surface. This paper presents a comprehensive security evaluation of such agents, focusing on systemic vulnerabilities across multiple architectural layers. Our work outlines the first end-to-end threat model for browsing agents and provides actionable guidance for securing their deployment in real-world environments. To address discovered threats, we propose a defense in depth strategy incorporating input sanitization, planner executor isolation, formal analyzers, and session safeguards. These measures protect against both initial access and post exploitation attack vectors. Through a white box analysis of a popular open source project, Browser Use, we demonstrate how untrusted web content can hijack agent behavior and lead to critical security breaches. Our findings include prompt injection, domain validation bypass, and credential exfiltration, evidenced by a disclosed CVE and a working proof of concept exploit.
Paper Structure (39 sections, 1 figure, 11 tables)