Skip to main content

Choose your country

Expert view

Agentic Browsers: Your New AI Buddy—or a Scammer's Best Friend?

F-Secure

12 min read

Imagine shopping for a new laptop. Instead of checking multiple sites yourself, your browser's built-in AI buddy compares prices, applies discount codes, and completes the purchase while you grab a coffee. It's convenient; until that same feature could be tricked into sending your payment details somewhere else.

These agentic browsers are the latest evolution of AI-driven tools: web browsers that don't just find information but act on your behalf. They can book travel, manage tasks, or even automate purchases through new interoperability protocols connecting AI systems with external services. The result is a seamless user experience—and a fresh security frontier that criminals are eager to explore.

From Search Bars to Smart Companions

Popular browsers are racing to integrate AI assistants to their main interfaces. Microsoft Copilot now appears on Edge, while Gemini is embedded into Chrome. At the same time, we're seeing entirely new agentic browsers like Perplexity's Comet and OpenAI's ChatGPT Atlas redefining what a browser can do from the ground up.

Technological shifts like this are often accompanied by the development of new protocols, and that's certainly the case with agentic browsers. Protocols enable interoperability, creating ecosystems that unlock innovation.

We're now seeing a growing number of protocols that define how AI models interact with external systems—enabling actions such as sending emails, retrieving documents, or executing code. Notable examples include MCP, A2A, and ACP, each with its own advantages, drawbacks, and potential risks.

A Converging Ecosystem Creates Opportunity

The browser, AI assistant, and protocol landscapes are evolving at remarkable speed, increasingly intersecting and influencing one another. To illustrate just how much is happening, consider this snapshot from recent news headlines:

Recent news headlines show how browsers, AI assistants, and emerging protocols are rapidly converging
Recent news headlines show how browsers, AI assistants, and emerging protocols are rapidly converging

In an earlier article, we explored MCP in depth. In this piece, we'll turn our focus to agentic browsers—examining their pros, cons, and unknown risks through one of the most anticipated use cases: agentic shopping and the payment protocols that enable it.

How Agentic Browsers Work

Agentic browsers go beyond traditional browsing by performing actions automatically on behalf of the user. These capabilities are powered by large language models and enabled by new interoperability protocols. For example, they can:

  • Navigate websites autonomously

  • Compare products and prices across multiple retailers

  • Fill shopping carts and complete purchases

  • Book flights, reserve restaurants, or schedule appointments

  • Read and summarize documents

  • Manage emails and calendars

  • Execute multi-step tasks while you watch—or step away

As a rule of thumb, a good agentic browser should be able to carry out complex workflows across multiple websites using human language instructions in a chat-like interface. Depending on the task, the user may expect the browser to reach a goal independently after the initial command, or to engage in an interactive, conversational process along the way.

A key novelty of agentic browsers is their ability to perform actions originally designed for humans—such as filling in online forms or selecting options—effectively simulating user behavior. To fully represent you, however, a browser may need to access information that wasn't explicitly provided in your instructions, such as payment credentials or data sourced from other websites you use.

The Pros and Cons of Agentic Browsers

The upsides and downsides of agentic browsers follow a familiar pattern: making life easier often comes at the cost of increased exposure to security and privacy risks. Unfortunately for users, agentic browsers combine three characteristics that security researcher Simon Willison calls the "lethal trifecta":

  • Access to private data

  • Exposure to untrusted content

  • The ability to communicate externally

Together, these characteristics offer critical capabilities for good—and for harm. If exploited, they make agentic browsers a powerful new tool for scammers and other malicious actors.

The Unknown Risks of Agentic Browsers

A key unknown about agentic browsers—and the protocols that grant them access to private data—is how these technologies will shape the trust different groups place in the internet and in AI itself.

Will techno-fear take hold as users lose direct control, or could these systems actually win over skeptics by reducing the need for constant human engagement? Is the idea of outsourcing online purchases a step too far from a trust perspective, or will new payment protocols inspire confidence through greater standardization and transparency?

We might draw parallels from ongoing debates around trust in AI agents more broadly, where the imperfection of safety guardrails is often exposed. Some users may grow more trusting as these protections improve over time, while others may take the opposite view—seeing an agentic browser that decides what to show or hide as an Orwellian Big Brother.

Unlocking the Next Era of E-Commerce: Agentic Shopping

Perhaps the most anticipated use case for agentic browsers is online shopping. While payment security remains a question mark, the benefits of outsourcing a shopping workflow—for speed, decision support, and the ability to act at the right time when a product becomes available—are often touted.

Consider the very human practice of asking a friend to join you on a shopping trip. As you visit stores, that friend might offer advice, know where the best deals are, or even have a discount card. All the while, you chat along the way. It may sound like something out of reality TV, but this dynamic—having a trusted shopping buddy—isn’t new. In higher stakes contexts, such as buying a house, the same concept applies when an estate agent advises and acts on your behalf.

From SSL to AI: The Evolution of Online Shopping

Since Netscape's introduction of SSL encryption in 1995, browsers have already transformed the shopping experience by digitizing the solo customer journey. This shift brought clear benefits—greater choice, thriving delivery networks, fewer car trips—but also clear downsides, such as the decline of small retailers and the rise of scamming via fake online shops.

What now seems to be just around the corner is an extension of that digital revolution: agentic browsers that can act as a digital shopping buddy. This new best friend doesn't just offer advice—it can also buy on your behalf. By granting your AI buddy delegated authority, you're effectively handing it your credit card and trusting it to complete transactions via payment protocols such as AP2.

We can expect this kind of agentic shopping to become the norm based on trends. Adobe, for instance, recently observed that "Generative AI-powered shopping rises with traffic to US retail sites up 4,700%". Technological leaps like agentic browsing introduce new protocols, and agentic shopping is certainly no different: Visa has introduced Visa Intelligent Commerce and the Trusted Agent Protocol, Mastercard has unveiled Agent Pay, and OpenAI has announced the Agentic Commerce Protocol.

The Pros and Cons of Agentic Shopping

While we can't say for sure that agentic shopping is inevitable, the digitalization and automation of shopping and payment tasks bring clear advantages, drawbacks, and unknown risks.

The Upside: Speed, Reach, and a Tireless Shopping Buddy

On the plus side, agentic browsers like Atlas introduce new modes of agency, including the "human not present" mode. This highlights the unique benefit of virtual buddies over human ones. After all, the equivalent expectation from your real-life shopping friend would be for them to set an alarm for 2am, travel across the country, and queue for concert tickets the moment they go on sale. But your agentic browser doesn't sleep.

Agentic browsers also know far more than any human companion—instantly comparing products, prices, and reviews across the entire web. They may not know your personal preferences quite like a friend would, and their "opinions" might be influenced by unseen forces, but their speed and scale of knowledge are unmatched.

The Downside: Familiar Flaws and New Vulnerabilities 

As with any emerging technology, agentic browsers introduce new vulnerabilities. Many stem from weaknesses already familiar in prompt-based AI agents. Some are known and even accepted with a "let's see what happens" mindset. For example:

  • An Atlas prompt for agent mode warns that "ChatGPT is built to protect you, but there is always some risk that attackers could successfully break our safeguards to access your data or take actions as you on logged-in sites."

  • OpenAI similarly acknowledges that "Agents are susceptible to hidden malicious instructions, which could lead to stealing data from sites you're logged into or taking actions you didn’t intend."

Hacking the Shopping Buddy

These "broken safeguards" or "hidden malicious instructions" largely refer to a well-known issue: prompt injection. In this attack, malicious actors embed hidden commands within web content that trick an AI agent into executing unintended actions. The AI can't distinguish between legitimate instructions and those embedded in a compromised webpage. It's like a scammer whispering hypnotic suggestions to your shopping buddy—convincing them to hand over your credit card or buy everything in the store for them.

Spoofing the Shopping Buddy

Another vulnerability, revealed by SquareX, involves a specific scenario: agentic browsers using a sidebar for user–agent interaction. Researchers demonstrated that a malicious browser extension could "spoof" this sidebar—overlaying a deceptive but convincing imitation that still has access to logged-in accounts such as Google Drive. This poses major privacy risks and, because users inherently trust their agent, could be exploited to steer them toward fraudulent sites without their knowledge.

History Repeats: Innovation Before Security

The release of technology with known vulnerabilities is nothing new. Throughout history, we've repeatedly prioritized speed and convenience over security—only to face the consequences later:

  • Early e-commerce (1990s): The first online payment was made in 1994, but robust encryption standards like SSL/TLS weren't widely adopted until years later. Fraud, identity theft, and significant financial losses were rampant.

  • Mobile payments (2000s–2010s): The race to launch mobile payment systems meant apps often stored sensitive data insecurely, lacked proper encryption, and used weak authentication mechanisms.

  • Internet of Things (2010s): Smart home devices flooded the market with default passwords, unencrypted connections, and poor update mechanisms—creating massive botnets and privacy nightmares.

Agentic browsers and shopping appear poised to follow a familiar trajectory: powerful innovation racing ahead of robust security.

The Unknown Risks of Agentic Shopping

While the pros and cons of agentic shopping are becoming clearer, the greatest risks may still be the ones we can't yet see. At F-Secure, we have a deep understanding of how scams evolve, and we continue to study how new technologies shift the threat landscape. Yet it remains uncertain how scamming will manifest in the age of agentic shopping.

So far, the role of AI in scams has focused on content generation—for example, crafting convincing phishing emails or deepfake impersonations. But agentic browsers could introduce a new twist: AI as the potential victim of a scam. Even if a payment protocol itself is secure, evidence suggests that AI agents are not yet equipped to detect phishing pages or fake online shops.

How scams might adapt to target this new kind of victim is still an open question. We also don't yet know which existing scam types might exploit vulnerabilities such as sidebar spoofing, or what entirely new forms of fraud could emerge.

Trusting an AI Buddy: How Far Will People Go?

One factor that will shape this landscape is the level of trust users place in agentic technology. This, too, is uncertain. Which groups of people will embrace agentic shopping—perhaps assuming that, after years of progress in generative AI, the major risks must already be solved? Will convenience outweigh caution, leaving some users complacent or resigned to the risks? The conversational, reassuring tone of AI "shopping buddies" may even foster an inflated sense of trust that exceeds what's warranted.

Conversely, some groups may find the idea of outsourcing something as personal as financial transactions deeply unsettling. For them, the notion of a chatty "black box" handling payments may cross a line. It remains to be seen whether these skeptics will mirror the risk-averse users of past digital transitions—or form a new category of selective adopters who trust AI for travel planning, information, or medical advice, but not for purchases.

The Future of Agentic Browsing: Promise or Peril?

Agentic browsers represent a genuine innovation in how we might interact with the digital world. Their promise of convenience is real, and their potential applications extend far beyond shopping to encompass productivity, accessibility, and efficiency gains across countless domains.

But the security landscape is troubling. As this article illustrates, vulnerabilities are being discovered faster than they can be patched. Scammers are already developing techniques to exploit AI agents. The protocols enabling these systems remain fragmented and immature. And the fundamental question—how we protect users when AI intermediaries act on their behalf—is still unanswered. Will shoppers or scammers enjoy agentic browsers more? Right now, we don't know.

What we do know is that speed of deployment continues to outpace security—a pattern repeated throughout technological history. The difference this time is that agentic browsers have direct access to our financial accounts, personal data, and authenticated sessions across the web. The stakes are higher than ever.

F-Secure's Guidance to Stay Ahead of the Risks

At F-Secure Illuminate, we'll continue monitoring this fast-moving landscape. As these technologies evolve, we'll track both innovations and vulnerabilities to help you understand the trade-offs involved in adopting agentic browsing.

In the meantime, if you're considering using agentic browsers with payment capabilities, approach with caution: understand which autonomous actions you're authorizing, monitor agent activity closely, use logged-out modes whenever possible, and remember that convenience and security rarely coexist perfectly.

The future of agentic browsing isn't predetermined. How we collectively respond—balancing caution with openness to innovation—will determine whether these systems become indispensable tools or cautionary tales. The conversation is just beginning, and the questions matter as much as the answers.

On this page

On this page:

From Search Bars to Smart CompanionsA Converging Ecosystem Creates OpportunityHow Agentic Browsers WorkThe Pros and Cons of Agentic BrowsersThe Unknown Risks of Agentic BrowsersUnlocking the Next Era of E-Commerce: Agentic ShoppingThe Pros and Cons of Agentic ShoppingThe Unknown Risks of Agentic ShoppingThe Future of Agentic Browsing: Promise or Peril?

Experts Behind the Insights

  • Abdullah Al Mazed

    Head of Protection Concept Lab, F‑Secure

    Abdullah Al Mazed drives exploratory research and breakthrough innovations at F-Secure. A consistent F-Secure HackWeek champion, he has pioneered protection concepts such as browsing protection for Safari iOS and AI-powered SMS protection.

  • Tony Shepherd

    Senior AI & Data Scientist, F‑Secure

    Tony Shepherd has a background in developing and applying data science methods across society and business. Today, he focuses on scam detection—exploring emerging threats from generative chat, the role of deepfakes in scams, and the future of online trust.