Sure, Let AI Browse the Internet—What Could Possibly Go Wrong?

Letting an AI agent search the web at will is extremely dangerous — an attacker could inject malicious instructions into your private conversation and exfiltrate sensitive data from it, all without your knowledge or approval.

There are two web-browsing-related vulnerabilities the industry has been able to document so far. Both are understood to the point where we’ve got a few relevant mitigations to consider. If you're building an AI app, use them! A word of caution though: it's important to remember that this is an ever-evolving field. This this is only what I know today. Who knows what we’ll find tomorrow!

Let’s look at these vulnerabilities:

You should never blindly trust things written on the Internet, right? Well, GenAI is happy to follow any instructions, if you write them well. An agent with Internet access is always one search away from a website with hidden malicious instructions, getting taken over by an external attacker. This is the first vulnerability - web browsing opens up a door for an external hacker to compromise your private AI threads.

You know who else is on the Internet? Everyone else, including them. If an attacker can compromise your agent, they can instruct it to search a website they control. That means the agent will reach out - proactively, without a user in the loop - to a website a hacker controls. The common exploit is encoding data to-be-exfiltrated into a parameter. This is the second vulnerability - web browsing allows a hacker to exfiltrate sensitive data from your private thread without asking for approval.

Fortunately for us¹ , we do have some design patterns for mitigation . Apply one of the following:

1. Limit which website the agent can search in. See Content Security Policy (employed by Microsoft Copilot and Google Gemini) and URL Anchoring (employed by ChatPT).

2. Let the agent ask a trusted third party to look at the website and provide key information. See Index-Based Browsing.

3. Decide it’s too risky and remove web browsing entirely.

Ohh, and there’s also the fourth and most popular option: bury your head in the sand and wait for a viral compromise. This option is not recommended.

1  These were all discovered the hard way, in response to reported vulnerabilities in live production applications.