WAAA! Web Adversaries Against Agentic Browsers

TL;DR

This paper introduces a comprehensive web-focused threat model for agentic browsers integrating LLMs, revealing 20 attack types and demonstrating their effectiveness across multiple models, highlighting significant security vulnerabilities.

Contribution

It presents the first web-centric threat model for agentic browsers, develops a taxonomy of attacks, and empirically demonstrates their impact across various LLMs.

Findings

18 of 20 attacks were successfully implemented.

Agentic browsers face five major failure modes against web threats.

Attacks are effective across four major LLM models.

Abstract

Large language models (LLMs) are increasingly being integrated into web browsers to create agentic browsing systems that execute actions on behalf of the user. Prior work considering the security of agentic browsers focuses exclusively on indirect prompt-injection attacks. However, by failing to consider traditional web attacks, previous agentic browser threat models have a blind spot to web social engineering attacks originally designed to trick humans. In this paper, we propose the first web-focused threat model for agentic browsers and use it to derive a taxonomy of 20 attacks across both the web and LLM space, and implement 18 of the attacks. Our threat model extends the original See$\rightarrow$Act browser agent model to account for all components of a browser, and frames the agent as a confused deputy unable to distinguish task steps from traditional web attacks. We show that 10 web threats can reemerge often in amplified forms once an agent can be influenced by untrusted page content. We further conduct a generalizability study on 14 of the 20 attacks, showing that our attacks reproduce across 4 major LLM models spanning multiple vendors. We show that agentic browsers exhibit five major failure modes when facing traditional and LLM web threats, demonstrating the need to rearchitect agentic browsers before they are ready for the current web.