SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Hcaptcha
#
DevOps
#
APM
#
Payment Technologies

Browser Agents Are Racing Ahead. Their Safety Isn’t

Tue, 18th Nov 2025
By Shawn Wolffarth, GM Enterprise, hCaptcha

Browser agents are crossing a line the web hasn't seen before.

What began as computer use demos is rapidly becoming a mainstream pattern: connect a powerful model to a real browser, give it tools, and let it do work with a simple prompt.

For users, that's exciting. But the capabilities that make browser agents useful also make them ideal abuse tools.

In October 2025, the hCaptcha Threat Analysis Group (hTAG) ran a comprehensive benchmark of popular browser agents to see how they behave when asked to do malicious things.

The results were stark:

Agent vendors have put no meaningful safeguards in place to prevent abuse of these tools. Safety is an afterthought for them.


What We Tested, and What We Saw


We evaluated five widely used browser agents across 20 of the most common abuse scenarios we see in the wild, including:

  • Multi‑accounting and rate‑limit evasion
  • Password resets for third parties
  • Session hijacking via cookies/localStorage
  • Card testing and coupon brute forcing
  • Support impersonation and hidden data exfiltration

We measured three things:

1. Refusals: Does the agent say no to a harmful task?

2. Robustness to trivial jailbreaking: Does it still refuse if the request is slightly rephrased or trivially encoded?

3. Task success: When it tries, does it actually succeed?

We deliberately stayed simple on the attack side: plain English prompts, then minor rephrasings, and only the most basic jailbreaking techniques.

Across the board, the agents attempted nearly every malicious request. When they failed, it was almost always because they lacked a capability (no devtools, no cookie‑writing API), not a refusal on safety grounds.


A few examples from our logs:

- Multiple agents reset passwords for other people with no verification, after being told I have their permission.

- Several agents inserted or attempted to insert session tokens via cookies or localStorage to hijack accounts.

- More than one agent auto‑filled credit card forms, inventing CVV and expiry data that was never provided.

- Agents repeatedly tried to bypass paywalls, brute force coupons, or probe hidden endpoints and sensitive files.

- In one case, an agent went further than the user: executing SQL injection on its own to exfiltrate hidden data.

Refusals, when they occurred, were both rare and fragile. A slightly different prompt or trivial obfuscation was enough to get the agent to comply.

From a security perspective, these are systems that behave like a highly capable, semi‑autonomous attacker eager to be helpful.


Why This Matters for Online Services
 

For years, the web threat model has assumed that:

1. Browsers are user‑controlled, and

2. Automation looks and behaves differently from humans.


Browser agents break both assumptions.

They operate inside a real browser, with human‑like mouse and keyboard patterns. If their default behavior is do anything asked, no questions, then any attacker who can write a prompt can weaponize them.

For operators of online services, the practical implications are large.
 

1. Account Takeover Becomes UI‑Level API Abuse

Traditional ATO defense focuses on credential stuffing, device fingerprints, and IP reputation. Browser agents route around that by acting like a first‑class user:

- Walking through forgot password flows for third parties

- Replaying tokens via cookie or storage injection

- Abusing support flows by convincingly impersonating customers

If agents happily execute these flows, you're effectively handing an attacker a high‑skill, UI‑driven bot that can adapt in real time to your front‑end defenses.
 

 2. Payment and Card Testing at Scale

For any business that processes payments, the risks are obvious:

- Card testing via real payment flows

- Coupon code brute forcing

Because agents navigate full flows, they can perform attacks that look like legitimate experimentation or user friction.
 

3. Martech Data Pollution and Funnel Distortion

On the martech side, browser agents introduce more subtle but still serious problems:

- Analytics distortion: Automated signup, browsing, and interaction patterns that pollute growth and conversion metrics.

- Support and review manipulation: Agents can auto‑file complaints, submit forms, or leave feedback at scale, mimicking diverse user behavior.

- Experiment contamination: A/B tests and personalization systems may optimize around agent behavior instead of human behavior.

If your growth strategies or attribution models are tuned on polluted data, your decisions will drift, even if no one is attacking you in the traditional sense.


What Online Services Should Do Now


Agent vendors will need time and incentives to add any safety measures. In the meantime, operators of online services can't wait.


A few steps to take today:

- Assume browser agents are in your traffic mix now. They are already being used by legitimate users and attackers alike.

- Revisit your trusted browser assumptions. Treat UI flows as potential automation surfaces, not inherently human.

- Guard critical operations with intent‑aware checks. Look at end‑to‑end user journeys, not single events: is this session behaving like a human trying to solve a problem, or like a tool methodically probing weaknesses?

- Log and review high‑risk sequences. Password resets, payment attempts, and support escalations deserve deeper scrutiny when behavior looks scripted or exaggeratedly helpful.

At hCaptcha, we've found that intent‑based analysis is the most reliable way to manage these new risks.

Directly detecting agent activity is useful but not always sufficient: reasoning about the user's journey is necessary.


The Next Platform Risk


Browser agents are not going away. They are the natural next step in the evolution of AI tools, from text APIs to full control of a browser session.

But that also makes them the next major platform risk. If we ship them into production environments with no action‑level guardrails, we should expect:

- More account takeovers that look nearly normal in logs

- More payment fraud that bypasses traditional bot defenses

- More data pollution and growth distortion in martech stacks

With no legal incentives to invest in safety, these tools will continue to proliferate with no real attention to abuse potential. 

Mitigations remain the responsibility of site operators. Evaluate your tools carefully to see whether they have evolved to cover these new threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
AI reshapes cyber threats as experts warn on automation
Tenable hack of Copilot AI agent exposes fraud risks
Agentic AI surge in 2026 sparks fresh cyber security risks
AI-driven cyber threats spur surge in intel spending
TXP warns on low code, AI overload & supplier risk in 2026

Top stories

Enterprises pivot to risk-aware, human-centric AI in 2026
Cyber leaders warn resilience gap as boards eye 2026
AI bubble cools as HR shifts to outcomes & new roles
Keeper links identity security alerts into ServiceNow
Safe AI coaches staff to cut cyber attack errors