None
<p>In our <a href="https://www.imperva.com/blog/the-rise-of-agentic-ai-from-chatbots-to-web-agents/">first post</a>, we introduced the world of AI web agents – defining what they are, outlining their core capabilities, and surveying the leading frameworks that make them possible. Now, we’re shifting gears to look at the other side of the coin: the vulnerabilities and attack surfaces that arise when autonomous agents browse, click, and act on our behalf.</p><p>From startups to tech giants, everyone is racing to embed these agentic capabilities into their products and services, making AI agents central to modern operations. But as adoption accelerates, a harsh truth emerges: their power comes with exposure. In this post, we’ll explore how vulnerabilities in AI web agents are emerging as critical security risks, especially when these tools are embedded into larger agentic workflows and systems.</p><h2>Web Agents Recap</h2><p>Before we dive into specific threats, it helps to recap how AI web agents operate under the hood. At a high level, AI web agents are software tools powered by large language models (LLMs) with an automation engine, typically a headless browser or API client, to turn natural-language instructions into concrete web actions. They’ll navigate to a page, authenticate or fill out forms, invoke API endpoints, parse responses, and even manage cookies or session state to complete each step. These agents can break down complex prompts into discrete actions and carry them out via a browser or even the underlying operating system.</p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;">
<style>
.ai-rotate {position: relative;}
.ai-rotate-hidden {visibility: hidden;}
.ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;}
</style>
<div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwyXQ==" style="position: relative;">
<div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA=">
<div class="custom-ad">
<div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div>
<div class="clear-custom-ad"></div>
</div></div>
<div class="ai-rotate-option" style="visibility: hidden; position: absolute; top: 0; left: 0; width: 100%; height: 100%;" data-index="1" data-name="QVdTIEh1Yg==" data-time="MTA=">
<div class="custom-ad">
<div style="margin: auto; text-align: center;"><a href="https://devops.com/builder-community-hub/?ref=in-article-ad-1&utm_source=do&utm_medium=referral&utm_campaign=in-article-ad-1" target="_blank"><img src="https://devops.com/wp-content/uploads/2024/10/Gradient-1.png" alt="AWS Hub"></a></div>
<div class="clear-custom-ad"></div>
</div></div>
</div>
</div><p>Frameworks like <strong>Browser-Use</strong> and <strong>Skyvern </strong>focus on browser automation, while tools like <strong>ACE (by General Agents)</strong>, <strong>OpenAI’s Operator</strong>, or <strong>Claude’s Computer Use</strong> extend control to desktop environments. In practice, an agent may fetch live data, maintain context in an internal memory, and coordinate with other specialized agents to execute multi-stage workflows.</p><p>This blend of LLM logic, automation layers, and external integrations not only creates a rich functionality and advanced capabilities but also, as we’ll see, exposes new attack surfaces in modern AI web agents.</p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;">
<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="00daac404f7bae23fed02e19-text/javascript"></script>
<!-- SB In Article Ad 1 -->
<ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins>
<script type="00daac404f7bae23fed02e19-text/javascript">
(adsbygoogle = window.adsbygoogle || []).push({});
</script></div><h2>Risks & Vulnerabilities in AI Web Agents</h2><p>Despite their impressive capabilities, AI web agents have clear weak points that attackers can exploit. Although this field is still in its early days, researchers have already started mapping out risks and vulnerabilities affecting AI agents.</p><p>In this blog, we’ll dive into one of the pressing threats to AI web agents: <strong>Agent Hijacking.</strong> This occurs when an attacker interferes with how an agent perceives information or makes decisions. By feeding it misleading inputs or tampering its internal logic, attackers can trick the agent to trust false data, leak sensitive information, or take actions that are unsafe, unintended, or even malicious. To keep things simple, let’s split hijacking attacks into two categories:</p><ul>
<li><strong>Perception & Interface Hijacking: </strong>Manipulating what the agent “sees” or how it interacts with the web environment.</li>
<li><strong>Prompt-Based Hijacking: </strong>Tampering with the agent’s “thought process” by feeding it with misleading or malicious instructions.</li>
</ul><p>This two-part breakdown helps clarify where and how agents can be taken over, and why defence strategies must protect both their internal reasoning and their external senses.</p><h3>Perception & Interface Hijacking</h3><p>This type of attack goes after the agent’s “senses” and “actions” in the browser. It focuses on the external layer – the browser, UI, or environment the AI agent interacts with. By messing with what the agent sees or clicks on, attackers can trick it into performing unauthorized actions. Perception hijacking occurs in the following sequence of events:</p><ol>
<li><strong>DOM/Page manipulation:</strong> tweaking the page’s HTML to mislead the agent, for instance, replacing a legitimate links or buttons with malicious ones. This can be done with known attack vectors like stored XSS, but also through normally benign tools like markdown formatting within applications.</li>
<li><strong>Visual confusion: </strong>these manipulated web elements cause confusion to the web agent, tricking it into taking actions it should not.</li>
<li><strong>Actions:</strong> the agent then clicks on manipulated buttons and links within the page, expecting a certain outcome, and are then redirected to potentially malicious locations.</li>
</ol><p>In the following video, we show how a simple markdown comment in a standard web forum can hijack the AI web agent Browser-Use. By manipulating how the agent views the site, we can influence its behavior and send it to a malicious destination. For the demo we used a realistic clone of a site, similar to Stack Overflow, to illustrate this behaviour.</p><div style="width: 1650px;" class="wp-video"><!--[if lt IE 9]><script>document.createElement('video');</script><![endif]--><br>
<video class="wp-video-shortcode" id="video-20076-1" width="1650" height="972" preload="metadata" controls="controls"><source type="video/mp4" src="https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Browser-Use-Perception-Hijacking-demo.mp4?_=1"></source><a href="https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Browser-Use-Perception-Hijacking-demo.mp4">https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Browser-Use-Perception-Hijacking-demo.mp4</a></video></div><p>Demo 1: Browser-Use Perception Hijacking</p><h3>Prompt-Based Hijacking</h3><p>In contrast to perception-based hijacking, instead of manipulating what the agent sees, this type of attack targets the internal reasoning loop of an AI agent by feeding it crafted language inputs hidden in the web elements ingested from web pages. These hijacks are so dangerous because they exploit the very flexibility that makes the LLMs powerful: bending an agent’s reasoning purely through language, without ever touching its underlying code.</p><p>Building on the previous demo video, we demonstrate how a malicious landing page, in this example a fake login, can be designed to include interactive elements embedding hidden prompt injections. Here we override the agent’s prompts and direct it to watch a legendary video.</p><div style="width: 1568px;" class="wp-video"><video class="wp-video-shortcode" id="video-20076-2" width="1568" height="968" preload="metadata" controls="controls"><source type="video/mp4" src="https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Browser-Use-prompt-injection-demo.mp4?_=2"></source><a href="https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Browser-Use-prompt-injection-demo.mp4">https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Browser-Use-prompt-injection-demo.mp4</a></video></div><p>Demo 2: Browser-Use Prompt Injection</p><h3>The Interplay Between Prompt and Perception Hijacking</h3><table>
<thead>
<tr>
<td><strong>Category</strong></td>
<td><strong>Definition</strong></td>
<td><strong>Targets</strong></td>
<td><strong>Example Techniques</strong></td>
<td><strong>Goal</strong></td>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Perception & Interface Hijacking</strong></td>
<td>Exploits how the agent perceives or interacts with its environment to mislead or trap it.</td>
<td>UI, DOM, browser actions, context</td>
<td>DOM injection, tooltip poisoning, spoofed buttons or domains</td>
<td>Force incorrect actions, leak data, misdirect flow</td>
</tr>
<tr>
<td><strong>Prompt-Based Hijacking</strong></td>
<td>Manipulates the agent’s internal reasoning by injecting or modifying natural language input.</td>
<td>Prompts, memory, task objectives</td>
<td>Prompt injection, memory poisoning, goal redirection</td>
<td>Subvert agent behaviour, bypass safeguards</td>
</tr>
</tbody>
</table><p>Think of it like this: <strong>p</strong><strong>rompt-based injection messes with the agent’s “</strong><em>thoughts”</em>,<br>
while <strong>perception & interface hijacking</strong> targets its “<strong>senses” and actions.</strong></p><p>In browser<strong>-based agents</strong>, you rarely see <strong>prompt injection on its own.</strong> Unlike chatbots that take direct text input, browser agents rely on scraping<strong> and interpreting </strong>page content. This means that for an attacker to inject prompts, they must first manipulate what the agent sees: through the DOM, hidden elements, tooltips, or spoofed content.</p><p>Here, <strong>the web interface becomes the true injection surface</strong>. Malicious instructions are smuggled into page content that the agent is likely to scrape or summarize, turning perception manipulation into a delivery mechanism for hijacking the agent’s internal reasoning. As a result, even though prompt injection and perception hijacking are conceptually distinct, <strong>they are tightly coupled in web environments</strong>, with interface control often being a <strong>prerequisite</strong> for successful prompt-level compromise.</p><h3>Real-World Consequences of Agents Hijacks</h3><p>Here is what can happen when attackers take over an AI web agent:</p><h4>Cross-Site Manipulation</h4><p>When an agent loads a page containing hidden scripts or cleverly crafted content, that page can influence the agent’s behaviour on other websites – much like XSS (Cross-Site Scripting) or CSRF in traditional web security, but here, the “scripting” is done via content that influences the agent’s decision logic.</p><p>In the demo video below, we show how injecting a prompt into the fake login page can manipulate the browser agent into visiting an online shopping site with a pre-authenticated session. We illustrate how the agent can perform malicious actions on the site, including making purchases.</p><div style="width: 1570px;" class="wp-video"><video class="wp-video-shortcode" id="video-20076-3" width="1570" height="978" preload="metadata" controls="controls"><source type="video/mp4" src="https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Browser-Use-Prompt-hijacking-demo.mp4?_=3"></source><a href="https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Browser-Use-Prompt-hijacking-demo.mp4">https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Browser-Use-Prompt-hijacking-demo.mp4</a></video></div><p>Demo 3: Browser-Use Malicious Purchases</p><h4>Unchecked System Commands</h4><p>Many agents can execute code or simulate mouse and keyboard events- powerful features that demand strong sandboxing. “Sandboxing” means restricting what the agent can do, to contain any damage. Without it, a hijacked agent could wreak havoc on your PC: deleting files, installing malware, or altering critical configurations. Imagine an attacker slipping a malicious instruction into a tool like General Agents ACE, or Claude Computer Use, since they control the Operating System I/O, they effectively have full system access. Various case studies have shown attacks like these in action, demonstrating how OS’s controlled by LLMs can be compromised in this way <sup><a href="https://hiddenlayer.com/innovation-hub/indirect-prompt-injection-of-claude-computer-use/" rel="noopener">[1]</a><a href="https://www.prompt.security/blog/claude-computer-use-a-ticking-time-bomb" rel="noopener">[2]</a></sup>.</p><h4>Context Leakage and Unauthorized Data Access</h4><p>AI agents constantly handle sensitive context: web page content, user prompts, intermediate reasoning, API keys, and session tokens. Context leakage refers to sensitive data slipping out where it shouldn’t, often due to an attack. An agent might carry private info from one step to the next and accidentally reveal it. For example, if an agent logs into a user’s accounts (email, banking, etc.), it will handle credentials or session tokens. Those need to be protected. Multi-agent setups amplify this risk: one compromised agent can become the weak link that exposes the entire chain of tasks. Bellow, we’ll show an example of how hidden context in an agent’s prompt can be leaked to an attacker.</p><p>In the final demo video below, we demonstrate how injecting a prompt into the fake login page can force the browser agent to retrieve local secrets and send them to an attacker-controlled server.</p><div style="width: 1570px;" class="wp-video"><video class="wp-video-shortcode" id="video-20076-4" width="1570" height="978" preload="metadata" controls="controls"><source type="video/mp4" src="https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Local-secret-theft-demo.mp4?_=4"></source><a href="https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Local-secret-theft-demo.mp4">https://www.imperva.com/blog/wp-content/uploads/sites/9/2025/06/Local-secret-theft-demo.mp4</a></video></div><p>Demo 4: Browser-Use Local Secret Theft</p><h2>Cascading Effects in Multi-Agent Workflows</h2><p>When AI agents team up, with one fetching web data, another analysing it, and a third updating databases, everything runs like a finely tuned assembly line. But that same modular setup means a breach in just one link can quietly infect the rest. A compromised agent—whether through prompt injection, poisoned memory, or tampered outputs—can hand off malicious instructions or poisoned data to its peers, propagating a silent “infection” down the chain. Recent research shows how a single hijacked agent can undermine downstream systems, even when each agent seems isolated <sup><a href="https://splx.ai/blog/exploiting-agentic-workflows-prompt-injections-in-multi-agent-ai-systems" rel="noopener">[3]</a></sup>.</p><p>This risk only grows as agents talk to each other using standardized protocols such as <strong>Agent-to-Agent (A2A)</strong> and <strong>Anthropic’s Model Context Protocol (MCP)</strong>. These frameworks make it easy to build and connect multi-agent workflows by defining shared message formats, memory interfaces, and secure context-passing mechanisms. While this standardization lowers the barrier for developers to build complex agentic architectures, it also means that a vulnerability in one agent or protocol implementation can have a far-reaching impact. For example, a malicious instructions hidden in one agent’s JSON context (via MCP) can slip through to other agents without setting off alarms. In effect, while protocols like A2A and MCP are essential enablers of scale and interoperability, they also emphasize the need for <strong>robust validation, filtering, and isolation mechanisms</strong> between agents to prevent the systemic spread of compromised inputs or behaviour.</p><p>As multi-agent ecosystems become the norm, the importance of treating every agent-to-agent interaction as a potential security boundary becomes paramount. Without solid validation, filtering, and isolation at each step, the benefits of composability and reuse can quickly turn into vectors for exploitation.</p><h2>Wrapping Up: Innovate with Caution</h2><p>AI web agents like ACE, Browser-Use, Skyvern (and others such as Auto-GPT style bots or OpenAI’s Operator) herald a future of hands-free automation. But as we’ve seen, attackers are also eyeing these agents. A hijacked agent can turn your helpful AI assistant into a weapon against you (or against others). From prompt injection attacks that quietly insert the hacker’s agenda, to cross-site exploits that piggyback on an agent’s browsing, to multi-agent “infection” that spreads through an entire swarm of bots, the security challenges are real and pressing.</p><p>The good news is that we are not powerless, as the AI community is actively working on defences. Researchers are studying robust prompting techniques and content filters to catch malicious instructions. Companies are exploring constitutional AI and policy-driven agents that refuse risky actions. And the old rules still apply: run agents with the least-privileges they need, sandbox them tightly, and monitor their activity for anomalies.</p><p>In the meantime, if you’re experimenting with AI web agents, stay vigilant. Treat them as you would a new intern with extraordinary powers: supervise closely and train them before fully trusting them on their own. Use test environments, double-check critical steps, and keep humans in the loop for high-risk steps like spending money or deleting data. As we’ve illustrated, a single well-placed attack can make an AI agent go from helpful to harmful in a flash. By understanding these failure modes (prompt injections, cross-site manipulations, sandbox escapes, context leakage, and cascade effects) we can design safer agent systems that boost efficiency, without opening the door for attackers.</p><p> </p><a href="https://hiddenlayer.com/innovation-hub/indirect-prompt-injection-of-claude-computer-use/" rel="noopener">https://hiddenlayer.com/innovation-hub/indirect-prompt-injection-of-claude-computer-use/</a><a href="https://www.prompt.security/blog/claude-computer-use-a-ticking-time-bomb" rel="noopener">https://www.prompt.security/blog/claude-computer-use-a-ticking-time-bomb</a><a href="https://splx.ai/blog/exploiting-agentic-workflows-prompt-injections-in-multi-agent-ai-systems" rel="noopener">https://splx.ai/blog/exploiting-agentic-workflows-prompt-injections-in-multi-agent-ai-systems</a><p>The post <a href="https://www.imperva.com/blog/the-rise-of-agentic-ai-uncovering-security-risks-in-ai-web-agents/">The Rise of Agentic AI: Uncovering Security Risks in AI Web Agents</a> appeared first on <a href="https://www.imperva.com/blog">Blog</a>.</p><div class="spu-placeholder" style="display:none"></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.imperva.com/blog/">Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Sarit Yerushalmi">Sarit Yerushalmi</a>. Read the original post at: <a href="https://www.imperva.com/blog/the-rise-of-agentic-ai-uncovering-security-risks-in-ai-web-agents/">https://www.imperva.com/blog/the-rise-of-agentic-ai-uncovering-security-risks-in-ai-web-agents/</a> </p>
