Varonis — STARTAGENT: Architectural Vulnerabilities in Agentic LLM Browsers

Varonis — STARTAGENT: Architectural Vulnerabilities in Agentic LLM Browsers

AI relevance: Agentic browsers like Perplexity Comet and OpenAI Atlas give LLMs programmatic control over web navigation, cookies, and form-filling — meaning a single XSS or prompt injection can escalate from cookie theft to full agent hijack, cross-tab data exfiltration, and unauthorized transactions.

• Varonis Threat Labs (researchers Itay Yashar and Hadas Shelev) published STARTAGENT — a comprehensive analysis of agentic LLM browser architectures and attack surfaces
• Covered four browsers: Perplexity Comet (fully autonomous), OpenAI Atlas (fully autonomous), Microsoft Edge Copilot (assisted/non-autonomous), Brave Leo AI (assisted)
• All agentic browsers bridge the traditional sandbox with remote LLM backends, creating novel attack vectors fundamentally different from classic browsers
• In Comet, chrome.runtime.sendMessage allows authorized web origins to invoke powerful extension tools — including file reads and internal network access
• Atlas decouples a native Swift client from a Chromium-based OWL Host via Mojo IPC — trusted OpenAI origins can pass structured commands directly into a privileged environment
• Edge Copilot uses window.parent.postMessage from a copilot.microsoft.com iframe to trigger Mojo interfaces on a privileged parent page
• Indirect prompt injection (hidden instructions in page content, metadata, or titles) remains the central risk — the agent reads untrusted HTML directly into the model
• Data-void attacks: if an attacker controls the only content on an obscure topic, the LLM treats it as ground truth and may load weaponized sites
• The core paradox: to be useful, agentic browsers must cross the very isolation boundaries that traditional browser security spent decades hardening

Why It Matters

Agentic browsers are moving into mainstream use, but their security model is fundamentally inverted compared to traditional browsers. Instead of isolating untrusted content, these browsers give LLM agents elevated access to your session, cookies, and permissions — then feed untrusted web content directly into the agent's decision-making loop. A standard XSS on any website can now become a control-plane hijack: the attacker doesn't need to steal your cookie, they can instruct the agent to act on your behalf. Current guardrails are inconsistent across vendors, and the research notes these browsers are "a prime target for real-time fuzzing and offensive research."

What To Do

• Limit agentic browser scope — avoid using autonomous browsers (Comet, Atlas) for sensitive workflows like banking, email, or admin consoles
• Monitor backend systems — many agentic browser attack impacts (sensitive document access, anomalous outbound connections) surface in backend telemetry, not in the browser itself
• Assume prompt injection is possible — treat any web content the agent can read as potentially hostile, including page titles, metadata, and image alt text
• Track vendor security updates — Comet, Atlas, Edge Copilot, and Brave Leo all use different architectures with different threat models; stay current on each
• Consider origin and tool scoping — restrict which web origins can communicate with browser extensions or IPC channels

Sources:

• Varonis Threat Labs — STARTAGENT Full Research
• GBHackers — Agentic LLM Browsers Coverage