Four minutes. That's how long it took researchers at Guardio Labs to trick Perplexity's brand-new Comet AI browser into handing over a victim's credentials to a phishing page. Not four hours. Not four days of sophisticated social engineering. Four minutes.
When my colleague Marcus sent me the research paper on Tuesday, I read it three times because I kept thinking I was missing something. I wasn't. The attack is elegant, terrifying, and — this is the part that should worry you — largely automated.
"Okay but I don't use an AI browser," you might be thinking. Sure. But you probably use AI tools that browse the web on your behalf, fill in forms, or process information from web pages. The attack surface described in this research applies to all of them.
Photo by Tima Miroshnichenko via Pexels
What Is an AI Browser and Why Should You Care?
AI browsers like Perplexity's Comet are a new category of tool. Instead of you navigating websites, clicking buttons, and filling out forms, an AI agent does it for you. You say "book me a flight to Chicago" and the AI opens travel sites, compares prices, enters your information, and handles the booking.
This sounds convenient because it is. It's also a completely new attack surface that security researchers are only beginning to understand.
The key difference from traditional browsing: when you browse the web, you decide whether a page looks legitimate. When an AI browser does it, the AI makes that judgment call. And as Guardio just demonstrated, AI judgment calls can be systematically exploited.
How "Agentic Blabbering" Breaks Everything
Here's where it gets interesting. Guardio's researchers coined a term for the fundamental vulnerability: Agentic Blabbering.
When AI browsers navigate the web, they don't just look at pages — they narrate their reasoning. "I see a login form. The URL looks legitimate. The SSL certificate is valid. I'll proceed." This internal monologue is transmitted between the browser and the AI model's servers.
The problem? Attackers can intercept this narration. And when they do, they get something extraordinary: a real-time feed of exactly what the AI thinks is suspicious, what it considers safe, and what would make it stop.
"The AI now operates in real time, inside messy and dynamic pages, while continuously requesting information, making decisions, and narrating its actions along the way," security researcher Shaked Chen explained. "Well, 'narrating' is quite an understatement — it blabbers, and way too much!"
Think of it like a poker player who announces their hand out loud. Every tell, every hesitation, every calculation — broadcast for the opponent to exploit.
The Attack: Building a Self-Improving Scam Machine
This is the part that kept me up Tuesday night.
Guardio didn't just find a vulnerability. They built a system that automatically generates and improves phishing pages until the AI browser stops detecting them as suspicious.
Here's how it works:
Step 1: Create a basic phishing page (a fake refund form, login page, etc.).
Step 2: Send the AI browser to the page and intercept its reasoning. The AI might say something like: "This page asks for credentials but the domain doesn't match the company. I'm flagging this as suspicious."
Step 3: Feed that reasoning into a Generative Adversarial Network (GAN) — essentially, an AI that generates better scam pages based on what the target AI flagged as suspicious.
Step 4: Repeat until the AI browser walks into the trap without hesitation.
In Guardio's demonstration, this loop converged in under four minutes. The final phishing page was so convincing to the AI that it entered the victim's credentials without raising any alarms.
My friend Priya, who works in red team security, had a visceral reaction: "So the AI browser is basically training the attacker on how to beat it. In real time. That's not a vulnerability — that's an own goal."
Why This Is Different From Normal Phishing
Traditional phishing targets humans. You get an email that looks like it's from your bank, you click a link, you enter your password. The attacker is trying to fool you.
This attack targets the AI. The human never sees the phishing page. They told their AI browser to "process that refund" or "check my account," and the AI handled everything — including entering credentials on a fake page it thought was real.
What makes this particularly dangerous:
Scale. Once an attacker builds a phishing page that fools one user's AI browser, it fools everyone's. All users of the same AI browser share the same model, the same reasoning patterns, the same blind spots. One successful attack template works universally.
Offline training. Attackers don't need to deploy scams in the wild and wait for victims. They can train their scam pages against the AI model offline, perfecting the attack before launching it. First-contact success rate: potentially 100%.
No human intuition. Humans sometimes catch phishing through gut feeling — "something feels off." AI browsers don't have gut feelings. They have decision criteria, and once those criteria are satisfied, they proceed with mechanical certainty.
The Trail of Bits Connection
Guardio's research comes on the heels of a separate investigation by Trail of Bits, which demonstrated four different prompt injection techniques against the Comet browser. Their attacks could extract users' private information from services like Gmail by exploiting the browser's AI assistant.
Together, these findings paint a troubling picture: AI browsers in their current form have a fundamental security problem. Their greatest strength — the ability to reason about and interact with web content autonomously — is also their greatest vulnerability.
What You Should Actually Do Right Now
If you're using an AI browser: Don't panic, but be aware. Avoid letting AI browsers handle sensitive actions (banking, account management, anything involving passwords or payment information) on autopilot. Use them for research, comparison shopping, content consumption — things where a compromised interaction doesn't give away your credentials.
If you're building AI agent tools: Minimize the reasoning information transmitted in plaintext. Encrypt the chain-of-thought. Don't let your AI narrate its security assessments in a way that attackers can intercept and learn from.
If you're a security professional: Start treating AI agents as a separate threat surface. Your existing phishing training and detection tools are designed for human targets. They won't catch attacks designed to fool AI. This is a new category that needs new defenses.
For everyone: Multi-factor authentication remains your best friend. Even if an AI browser hands your password to a phishing page, MFA adds a second barrier. Enable it everywhere. Use hardware keys (YubiKey, Titan) if possible — they're phishing-resistant by design.
Marcus's final thought on the matter: "We spent 20 years teaching humans not to click suspicious links. Now we have to teach AI. And the AI learns slower than the scammers."
He's not wrong. And four minutes is not a lot of time.
(Guardio has responsibly disclosed their findings to Perplexity. As of publication, Perplexity has not publicly commented on the research.)
Related Reading
More on AI reliability concerns: half of AI pull requests would be rejected and why AI is making developers lazier, not replacing them.
Update: AI bots are not just phishing — they just killed Digg within weeks of its relaunch, overwhelming moderation and destroying platform trust entirely.
Related Reading
If you found this useful, check out these related articles: