Open Sesame!
AI browser agents inherit every logged-in session, and so does anyone who can trick them.
Perplexity, Anthropic, and OpenAI have each shipped a product in the past year whose core function is placing an AI agent inside the user’s authenticated browser session. Security researchers have broken every one tested so far, using the same class of attack: tricking the agent into acting against the user whose sessions it inhabits.
No longer surfing alone
Perplexity shipped Comet as a standalone Chromium-based browser whose embedded AI assistant can browse the web, make purchases, send emails, and manage calendars using the owner’s logged-in accounts. The browser reached iOS, Android, Mac, and Windows by spring 2026, and it now ships preloaded on Samsung’s Galaxy S26, making Perplexity the first non-Google company to receive OS-level access on a Samsung device. Anthropic took a different route with Claude in Chrome, an extension that reads the active tab and takes actions inside logged-in services; the extension has surpassed seven million Chrome Web Store downloads. OpenAI launched the Codex Chrome extension on May 8, giving its coding agent access to live browser state, DevTools, and multiple tabs in parallel.
The three products differ in form and in intended audience. Comet is a full replacement browser aimed at general consumers, Claude in Chrome is a sidebar for knowledge workers, and Codex targets developers. All three made the same foundational design decision by placing the agent inside the user’s authenticated sessions, granting it whatever access those sessions provide.
Consequences of the extremely foreseeable variety
LayerX disclosed CometJacking in October 2025, demonstrating that an attacker could embed a malicious prompt inside a URL and cause Comet’s AI to exfiltrate data from connected services without any visible indication to the user. Perplexity initially classified the report as having no security impact; a subsequent disclosure in November revealed that Comet’s local MCP API granted system-level endpoint access without explicit user permissions, a capability that Perplexity silently disabled after publication.
LayerX disclosed ClaudeBleed on May 7, 2026, showing that the Claude in Chrome extension trusted any script executing under the claude.ai origin without verifying whether that script belonged to Anthropic or had been injected by another extension. A proof-of-concept extension with zero declared permissions could instruct Claude to locate a file labeled “Top Secret” in Google Drive and share it with an external address, summarize private Gmail messages, and delete evidence of the access afterward.
Anthropic released a patch in extension version 1.0.70 on May 6, adding permission prompts for sensitive actions. LayerX researchers bypassed the patch within three hours by forcing the extension into its privileged “Act without asking” mode, which restored autonomous command execution without notifying the user or requiring consent.
Only losers lock their doors... or something
Browser security has relied for two decades on isolation. The same-origin policy prevents code on one domain from reading data on another, and Chrome’s extension sandboxing restricts what each add-on can access. A browser agent that reads any open tab, navigates to new pages, clicks buttons, and interacts with logged-in services collapses those isolation boundaries by design rather than by exploit.
The mitigations that vendors have deployed so far, including site allowlists, per-action permission prompts, and mode restrictions, treat the agent’s access as a permissions problem when the underlying conflict is architectural. LayerX’s repeated ability to bypass these controls within hours of their deployment suggests that bolting approval flows onto an agent that already operates inside the trust boundary does not reconstitute the isolation that was removed to make the agent functional in the first place.
All that data won’t sell itself
No vendor will retreat from the browser; the authenticated session is too commercially valuable a position to cede to competitors. Whether browser agents become a durable product category depends on whether their makers can rebuild the isolation model to accommodate agents, having spent the past year dismantling it to ship them.
Security with LLMs is a category error.