- itscybernews
- Posts
- Your browser can now do your shopping, book your travel, and log into your bank — by itself. This summer it went mainstream. Then researchers watched it hand a stranger the keys.
Your browser can now do your shopping, book your travel, and log into your bank — by itself. This summer it went mainstream. Then researchers watched it hand a stranger the keys.
The new agentic browsers are astonishing — you ask, and they run the errand. Then three teams sat them in front of real scams. One walked into a fake bank and offered to type in the password.
/ad

There’s a small, specific magic to the first time it works. You open a new kind of browser, type one plain sentence — “find me the cheapest flight to Lisbon in October, aisle seat, under €200” — and then you just watch. Tabs open on their own. Filters get clicked. A booking form starts filling itself in, your name already in the box. You didn’t do any of it. You asked, and a machine went and did the errand for you.
That’s an agentic browser — and this summer, it stopped being a demo and became something millions of people actually have. It is one of the most genuinely useful pieces of consumer software in years.
It’s also, as of the last few weeks, one of the most quietly alarming. Because three different research teams did the obvious experiment — they let these helpful little agents loose on the open web, scams and all — and watched what happened. As always, this is itscybernews, so there’s a catch. This one is a big one.
Let’s marvel first. Because this one earns it.
Your employees are connecting AI to everything. Now what?
ChatGPT and Claude don't just answer questions anymore. Employees are connecting them directly to Notion, Linear, Jira, and the rest of your stack. The AI can read, write, and take actions on company data. Most IT and security teams have no visibility into any of it.
Harmonic Security Connectors changes that. It sits inline with every AI-to-app connection, so you see each call, control what data moves, and block destructive actions before they happen. Employees notice nothing different.
See what's actually running across your business in a live demo.
✨ The wonderful part: you ask, and the web does itself
For thirty years, using the internet has meant you doing the clicking. You are the cursor. You open the tab, you read the page, you fill the form, you hit submit. The web is a place you operate by hand, one click at a time.
Agentic browsers break that. Tools like Perplexity’s Comet and OpenAI’s ChatGPT Atlas don’t just show you web pages — they act on them. You give an instruction in plain English, and the AI drives the browser itself: reading pages, comparing options, filling in forms, clicking through checkout. It’s the difference between a map that shows you the route and a driver who takes you there.
And the everyday uses are legitimately great. Picture the boring digital chores that eat your evenings:
”Reorder everything from my usual grocery list and book the earliest delivery slot.” It opens the store, rebuilds the cart, picks the slot.
”Go through these 40 unread emails, unsubscribe from the junk, and summarize anything that actually needs a reply.” It reads, sorts, and clicks the unsubscribe links so you don’t have to.
”Find three plumbers near me with good reviews, and draft the same message to all of them.” It searches, reads the reviews, and writes the drafts.
”Compare this insurance quote to what three competitors would charge for the same cover.” It fills out each competitor’s quote form and brings you the numbers.
This is the promise that makes 2026 the year “agents went mainstream” — the year the software stopped waiting for your next click and started completing the whole task. It feels like getting time back. A tireless intern who never gets bored of the tedious stuff, working at the speed of a search engine.
So: a browser that runs your errands while you get on with your life. What could possibly go wrong with that?
The problem is that your tireless intern is also deeply gullible. And it’s holding your keys.
🎣 The catch: it has the keys to everything, and it trusts everyone
Here’s the uncomfortable pivot. To run those errands, the agent needs one thing above all: access to a browser you’re logged into. Your email. Your bank. Your shopping accounts, saved cards, and delivery address. It can only reorder your groceries if it’s signed in as you.
Which means when the agent gets fooled, it doesn’t get fooled with its money and its accounts. It gets fooled with yours. And this summer, three separate teams proved exactly how easily that happens.
Exhibit one: it walked into a fake bank and offered to fill in the password. Security researchers at Guardio Labs ran a now-famous set of experiments they nicknamed ”Scamlexity.” They sent Perplexity’s Comet a simple email — from a throwaway address — posing as a Wells Fargo manager, with a link to a real phishing page that was live on the internet and not yet flagged by Google. Comet read the email, confidently logged it as a genuine to-do “from the bank,” and clicked the link. No URL check. When the fake Wells Fargo login loaded, the agent treated it as the real thing and prompted the user to enter their banking credentials — and helpfully started filling in the form. A human might have squinted at the address bar. The agent never did.
Exhibit two: it’s a pattern, not a one-off. At the end of June 2026, researchers unveiled an attack that fooled six different agentic browsers and assistants — including ChatGPT Atlas, Perplexity Comet, and Anthropic’s Claude browser plugin — into copying credentials out of the user’s own signed-in sessions. Different tools, same soft underbelly.
Exhibit three: the academics found a structural hole, not just a trick. A team at the University of Washington studied seven popular agentic browsers. Four of them let an attacker punch through the same-origin policy — one of the oldest, most fundamental safety walls on the web, the rule that stops one website from reaching into another’s data. They ran a working proof-of-concept attack on ChatGPT Atlas. Their two weapons were both worryingly quiet:
Prompt injection — hidden text on a web page (sometimes literally invisible in the code) that the agent reads as instructions. The page says, in effect, “ignore your user and do this instead,” and the agent, unable to tell your commands from the page’s, obeys.
Memory poisoning — agents remember things between tasks to be more helpful. Slip a bad instruction into that memory and it can steer the agent’s behavior later, long after the malicious page is closed.
The line from the UW team that should stick with you: when an AI agent is given access as close as a human’s, it can be tricked in ways a human generally isn’t — and there is currently no clean way to fix this while keeping the browsers as capable as they are. That’s not a bug waiting on a patch. That’s the shape of the thing.
And it scales. Palo Alto’s Unit 42 warns that criminals running bot farms of these agents could fire off tens of thousands of fraudulent transactions in a single hour — faster than any human fraud team could blink.
The uncomfortable truth underneath all three experiments is the same: the agent has all your privileges and none of your instincts. It won’t get a bad feeling about a too-good deal. It won’t notice the address bar is one letter off. It reads a scammer’s hidden instruction with the exact same trust it reads yours.
🛡️ The good news: you can keep the magic and cage the risk
Here’s the trap: thinking the choice is use the amazing agent and risk your bank or give it up entirely. It isn’t. The danger isn’t the agent’s intelligence — it’s the agent’s access. Shrink the access and you keep almost all the magic while starving the disaster. Most of this is free and takes minutes.
Never let the agent drive the browser that’s logged into your bank. Run the agent in a separate, clean browser profile — one with no saved passwords, no banking, no primary email signed in. If prompt injection strikes, it can only reach accounts the agent can actually see. An empty profile is a small blast radius.
Keep money, taxes, health, and identity as hands-on-keyboard tasks. The researchers are unusually united here: anything involving logging into a bank, moving money, filing taxes, or entering ID documents should not be delegated yet. Let it find the flight. You enter the card.
Never turn off the “ask me first” confirmations. Good agentic browsers pause and require your explicit approval before a purchase, a login, or sending a file. That prompt is the seatbelt. It’s tempting to switch it off to make the agent smoother. Don’t.
Treat the agent like a brand-new intern, not a trusted friend. Read the action preview before you approve. If it’s about to log in somewhere, glance at the actual web address it’s on. You are the instinct the agent doesn’t have.
Don’t let it roam sketchy sites while you’re logged into good ones. The riskiest move is running an agent across untrusted pages in the same session where sensitive accounts are live. Separate the two, always.
✅ What to actually do
This week, if you use (or want to try) an agentic browser:
Make a second, empty browser profile just for the agent — no bank, no primary email, no saved cards. That one habit contains almost every worst-case scenario.
Draw a personal “no-agent” list — banking, taxes, health portals, government logins, anything with your ID. Those stay hands-on-keyboard; the agent researches, you press the final button.
Keep human-confirmation prompts ON and actually read the preview before approving a purchase or a login — including the web address it’s on.
When choosing an agentic browser, reward the safe design — clear action previews, confirmation before sensitive actions, scoped site access, and an easy way to stop or undo.
The takeaway
Agentic browsers are the real thing. For the first time, you can hand the tedious machinery of the web — the forms, the comparisons, the endless clicking — to something that just goes and does it. That’s not hype; it’s a genuine leap, and it will reshape a lot of ordinary digital drudgery for the better. It deserves to be celebrated.
But the same access that lets it run your errands lets it wreck your afternoon. This summer, three teams watched these agents click a live phishing link, walk into a fake bank, and get steered by invisible text on a page — using the user’s own logged-in accounts, at machine speed, with none of the gut instinct that saves the rest of us. And the researchers were blunt: there’s no clean fix yet that keeps the agent this capable and this safe.
So take the magic. It’s real, and it’s worth having. Just don’t hand it your keys. Give it a clean, empty room to work in, keep your bank on the far side of a locked door, and remember the one thing your tireless little intern will never learn on its own: when a deal looks too good and a login looks slightly off — stop. That instinct is still yours. Don’t automate it away.
Click carefully, stay curious.
— itscybernews
Was this forwarded to you? Reply and tell us what you’d like us to dig into next — we read every one.

