SquareX Shows AI Browsers Fall Prey to OAuth Attacks, Malware Downloads& Malicious Link Distribution

Palo Alto, California, October 9th, 2025/CyberNewsWire/--As AI Browsers rapidly gain adoption across enterprises, SquareX has released critical security research exposing major vulnerabilities that could allow attackers to exploit AI Browsers to exfiltrate sensitive data, distribute malware and gain unauthorized access to enterprise SaaS apps.

The timing of this disclosure is particularly significant as major companies including OpenAI, Microsoft, Google and The Browser Company have announced or released their own AI browsers.

With Chrome and Edge alone representing 70% of the browser market share, it is very likely that the majority of consumer browsers in the future will be AI Browsers. Thus, it is critical for organizations to prepare for these security risks associated with this fundamental change.

\

In the technical blog, SquareX discloses a few ways Comet was exploited, illustrating each with case studies. In one example, in completing a research task, Comet fell prey to an OAuth attack, providing attackers with full access to the victim’s email and Google Drive.

This allowed attackers to exfiltrate every file stored on the victim’s account, including those shared by colleagues and customers. In another, the AI browser was completing tasks in the user’s inbox - a common use case advertised by Comet itself - when it ended up distributing a malicious link to the victim’s colleague through a calendar invite. Other examples include tricking Comet into downloading known malwares and emailing sensitive files to attackers. 

Unfortunately, existing solutions like EDRs and SASE/SSE have limited visibility into browsers. Today, there is no way to differentiate between activities performed by a user or Comet, as both network requests originate from the same browser.

Thus, it is critical that enterprises have a browser-native solution that can differentiate between agentic and user identities, allowing them to apply differentiated guardrails on the data and actions that the AI browser can access or perform.

With the increasing integration of agentic AI into browsers, AI agents may soon dominate browsing activity over human users. This shift necessitates a collaboration between enterprises, browser developers, and cybersecurity companies to create robust security frameworks and protective measures to prevent attackers from exploiting AI Browsers.

SquareX's findings provide a crucial warning about the dangers of relying on traditional solutions to solve modern threats, and hopes to serve as an encouragement for an urgent industry-wide cooperation.

About SquareX

SquareX's browser extension turns any browser on any device into an enterprise-grade secure browser, including AI Browsers. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks.

Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, delivering security without compromising user experience. More information about SquareX’s research-led innovation is available at www.sqrx.com.

Contact

Head of PR

Junice Liew

SquareX

junice@sqrx.com

:::tip This story was published as a press release by Cybernewswire under HackerNoon’s Business Blogging Program. Do Your Own Research before

:::

\