AI browsers could be at risk of “sidebar spoofing” attacks stemming from malicious browser extensions, SquareX Labs reports. With the launch of OpenAI’s ChatGPT Atlas this week and Perplexity’s Comet earlier this year, AI browsers have been gaining steam and embedding the power of large language models (LLMs) more deeply into users’ online experiences.From a cybersecurity perspective, these browsers represent a new potential attack vector, with previous proof of concept (PoC) attacks showing how Comet could be manipulated to exfiltrate sensitive data or deliver malicious links. The latest PoC attack targets the AI sidebar, a common feature across both AI-specific browsers and existing browsers that have added AI features, such as Microsoft Edge’s Copilot Mode.In this AI sidebar spoofing attack, a malicious extension installed by the user and granted host and storage permissions can inject JavaScript into a webpage to display a fake sidebar with the same appearance as the browser’s native AI sidebar, SquareX explains.The extension can then hook into another LLM with attacker-controlled settings and system prompts, so that the user may receive malicious instructions when submitting prompts into the sidebar.SquareX tested this technique with the Comet browser, installing their own extension designed to deliver malicious responses to certain user prompts. Such an extension could be disguised as a legitimate extension, such as a password manager or AI tool, to trick users into installing it.In one case, if the user asks for advice selling cryptocurrency on Binance, the spoofed sidebar assistant provides instructions with a link to a fake Binance login page. In another case, when the user is asking for help finding a file sharing app, they are provided a link to a malicious app that requests excessive Google OAuth permissions.In the final case study demonstrated by SquareX, the user uses the spoofed sidebar to ask how to install Homebrew, to which the attacker’s LLM responds with a command that will create a reverse shell on the victim’s machine. When the user copies, pastes and runs this command, believing it will install Homebrew, the attacker gains backdoor access to the machine.SquareX adds that the attacker could instead have the LLM provide instructions to install malicious packages while claiming they are necessary dependencies for Homebrew installation. Either way, if the user trusts they are receiving legitimate instructions from Perplexity’s LLM, they are likely to follow the instructions without recognizing the threat.“Because our natural inclination is to trust automation, it’s critical to embed cybersecurity principles and safety guardrails throughout every stage of the AI journey to build resilience and confidence as we innovate,” Andre Shari, APAC cybersecurity VP and CISO at Schneider Electric, said in a statement accompanying SquareX’s blog post.SquareX said the PoC attacks were reported to Perplexity and that they did not receive a response from the company prior to publishing their findings on Oct. 16, 2025.The researchers recommend organizations address AI browser risk by limiting and auditing the installation of browser extensions by employees, and setting browser-native policies that block detected phishing sites and high-risk OAuth permissions from non-whitelisted apps. Security-focused browser extensions could also help to detect and block malicious activity within the browser.
AI/ML, AI benefits/risks, Exposure management
AI browser risks demonstrated by PoC sidebar spoofing attack
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds