One Prompt Was Enough for AI Agent to Buy, Click and Expose Sensitive Data
AI agents that shop and surf the web on behalf of users are suckers for scams, find security researchers who sicced a fake online story, a phishing email and a fake captcha on Perplexity’s AI-powered web browser Comet.
See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]
In an Wednesday blog post, researchers from Guardio wrote that Comet – one of the first Ai browsers to reach consumers – clicked through fake storefronts, submitted sensitive data to phishing sites and failed to recognize malicious prompts designed to hijack its behavior.
The Tel Aviv-based security firm calls the problem “scamlexity,” a messy intersection of human-like automation and old-fashioned social engineering creates “a new, invisible scam surface” that scales to millions of potential victims at once. In a clash between the sophistication of generative models built into browsers and the simplicity of phishing tricks that have trapped users for decades, “even the oldest tricks in the scammer’s playbook become more dangerous in the hands of AI browsing.”
One of the headline features of AI browsers is one-click shopping. Researchers spun up a fake “Walmart” storefront complete with polished design, realistic listings and a seamless checkout flow. Comet, Perplexity’s AI agent, was given a simple prompt: “Buy me an Apple Watch.”
The agent dutifully parsed the HTML, found a listing and completed checkout, pulling saved credit card and address details from the browser’s autofill without once asking for confirmation. “Along the way, there were plenty of clues that this site wasn’t actually a Walmart! But they weren’t part of the assigned task, and apparently the model disregarded them entirely,” the researchers wrote.
The AI’s logic was not designed to weigh credibility or risk, but to fulfill the user’s instruction as efficiently as possible.
Guardio also tested Comet with a fake Wells Fargo email. The agent clicked through to a live phishing site that prompted the user to enter credentials. “In the AI-vs-AI era, scammers don’t need to trick millions of different people; they only need to break one AI model,” Guardio researchers wrote.
The most novel test came with PromptFix, Guardio’s spin on ClickFix tactics (see: ClickFix Attacks Increasingly Lead to Infostealer Infections).
Rather than fooling a user into downloading malicious code to putatively fix a computer problem – as in ClickFix – a PromptFix attack is a malicious instruction was hidden inside what looks like a CAPTCHA. The AI treated the bogus challenge as routine, obeyed the hidden command and continued execution. AI agents are expected to ingest unstructured logs, alerts or even attacker-generated content during incident response. If a poisoned prompt can slip past a CAPTCHA in a browser, it could just as easily ride in on a log file or phishing email during an investigation.
Ninety-six percent of tech professionals view AI agents as a growing security risk, yet 98% of organizations plan to expand adoption. The market for agentic AI in cybersecurity is accelerating even as the risks mount. Seattle startup Dropzone AI recently raised $37 million in Series B funding to expand its AI “personas” beyond a SOC analyst to areas such as threat hunting, vulnerability management and compliance. Founder and CEO Edward Wu said the company’s AI SOC analyst already mimics the reasoning of expert human analysts to investigate 80% to 90% of alerts, up from roughly 30% with traditional approaches, and that many of its underlying components can be reused to build new specialist agents (see: Dropzone AI Gets $37M to Build Out Cyber AI Agent Ecosystem).