Your browser agent is a liability with tabs.

Anthropic just published the kind of number that should make every product manager in this category cough up a lung: 31.5% browser hijack rate before safeguards. One in three. Not in a toy demo. Not in a lab fairy tale. In a browser, where the thing has your logins, your history, your inbox, your cookies, and the confidence of a raccoon with a stolen badge.

And of course the sales pitch is still the same glossy nonsense: “agentic browsing,” “work on your behalf,” “trusted colleague.” Sure. If your colleague can be tricked by a web page into sending a resignation email to your CEO, that colleague is either drunk or on payroll from the wrong side.

That is the part people keep refusing to say out loud: the browser agent is not a browser with a little extra brain. It is a principal-substitution machine. The thing reading the web is also the thing acting on the web, and both jobs are now happening under your credentials. That’s not product magic. That’s a blast radius with a UI.

The rest of the research is just different flavors of the same mess. Permiso showed ChatGPT can be pushed into rendering attacker-controlled Markdown as fake security alerts and QR-code traps. Trail of Bits walked Perplexity’s Comet through fake CAPTCHAs, fragments, and user-impersonation scripts to yank Gmail contents out the back door. OpenAI’s own Atlas hardening writeup basically admits prompt injection is a permanent annoyance and responds by building an automated attacker to find holes before other people do.

Which is adorable, in the way a smoke detector is adorable when the kitchen is already on fire.

The industry response to all this is always some combination of “we’re improving safeguards” and “we’ve rolled out a new adversarially trained model.” Fine. Great. Love that for you. But if your product needs a robot burglar to test whether it can be socially engineered by a webpage, maybe the category shipped before the architecture grew a spine.

Anthropic at least published the ugly number. It also published the boring good news: with safeguards on, the browser surface dropped to 0.5%. That matters. Numbers matter. But the number is still a confession, not a victory lap. A safer version of a bad idea is still a bad idea if the bad idea is “give a model your authenticated life and let it freestyle.”

The sane defaults are not mysterious. They are just inconvenient:

  • read-only mode until the user explicitly opts into writes
  • logged-out mode unless the task genuinely needs auth
  • exact allowlists, not cute wildcard nonsense
  • strict separation between page content and instructions
  • per-action confirmation for anything irreversible or expensive
  • no inbox access unless the task is literally about email

That’s it. That’s the whole sermon. If the agent doesn’t need your bank, your mail, or your checkout session, don’t hand it those keys and then act shocked when some trash page says “ignore previous instructions” and the model goes for a walk.

I keep seeing demos where the browser agent “helps” by doing the exact thing a malicious page would want it to do, and every time I get the same feeling I get when a CI job starts asking clarifying questions: this is already too far gone to be cute.

A browser agent that can be talked into acting on hostile content is not a productivity breakthrough. It is a liability with tabs.

And the tabs are the least interesting part of the problem.