Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts
Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page.
Described by Guardio Labs an "AI-era take on the ClickFix scam," the attack technique demonstrates how AI-driven browsers, such as Perplexity's Comet, that promise to automate mundane tasks like shopping for items online or handling emails on behalf of users can be deceived into interacting with phishing landing pages or fraudulent lookalike storefronts without the human user's knowledge or intervention.
"With PromptFix, the approach is different: We don't try to glitch the model into obedience," Guardio said. "Instead, we mislead it using techniques borrowed from the human social engineering playbook – appealing directly to its core design goal: to help its human quickly, completely, and without hesitation."
This leads to a new reality that the company calls Scamlexity, a portmanteau of the terms "scam" and "complexity," where agentic AI – systems that can autonomously pursue goals, make decisions, and take actions with minimal human supervision – takes scams to a whole new level.
With AI-powered coding assistants like Lovable proven to be susceptible to techniques like VibeScamming, an attacker can effectively trick the AI model into handing over sensitive information or carrying out purchases on lookalike websites masquerading as Walmart.
All of this can be accomplished by issuing an instruction as simple as "Buy me an Apple Watch" after the human lands on the bogus website in question through one of the several methods, like social media ads, spam messages, or search engine optimization (SEO) poisoning.
Scamlexity is "a complex new era of scams, where AI convenience collides with a new, invisible scam surface and humans become the collateral damage," Guardio said.
The cybersecurity company said it ran the test several times on Comet, with the browser only stopping occasionally and asking the human user to complete the checkout process manually. But in several instances, the browser went all in, adding the product to the cart and auto-filling the user's saved address and credit card details without asking for their confirmation on a fake shopping site.
In a similar vein, it has been found that asking Comet to check their email messages for any action items is enough to parse spam emails purporting to be from their bank, automatically click on an embedded link in the message, and enter the login credentials on the phony login page.
"The result: a perfect trust chain gone rogue. By handling the entire interaction from email to website, Comet effectively vouched for the phishing page," Guardio said. "The human never saw the suspicious sender address, never hovered over the link, and never had the chance to question the domain."
That's not all. As prompt injections continue to plague AI systems in ways direct and indirect, AI Browsers will also have to deal with hidden prompts concealed within a web page that's invisible to the human user, but can be parsed by the AI model to trigger unintended actions.
This so-called PromptFix attack is designed to convince the AI model to click on invisible buttons in a web page to bypass CAPTCHA checks and download malicious payloads without any involvement on the part of the human user, resulting in a drive-by download attack.
"PromptFix works only on Comet (which truly functions as an AI Agent) and, for that matter, also on ChatGPT's Agent Mode, where we successfully got it to click the button or carry out actions as instructed," Guardio told The Hacker News. "The difference is that in ChatGPT's case, the downloaded file lands inside its virtual environment, not directly on your computer, since everything still runs in a sandboxed setup."
The findings show the need for AI systems to go beyond reactive defenses to anticipate, detect, and neutralize these attacks by building robust guardrails for phishing detection, URL reputation checks, domain spoofing, and malicious files.
The development also comes as adversaries are increasingly leaning on GenAI platforms like website builders and writing assistants to craft realistic phishing content, clone trusted brands, and automate large-scale deployment using services like low-code site builders, per Palo Alto Networks Unit 42.
What's more, AI coding assistants can inadvertently expose proprietary code or sensitive intellectual property, creating potential entry points for targeted attacks, the company added.
Enterprise security firm Proofpoint said it has observed "numerous campaigns leveraging Lovable services to distribute multi-factor authentication (MFA) phishing kits like Tycoon, malware such as cryptocurrency wallet drainers or malware loaders, and phishing kits targeting credit card and personal information."
The counterfeit websites created using Lovable lead to CAPTCHA checks that, when solved, redirect to a Microsoft-branded credential phishing page. Other websites have been found to impersonate shipping and logistics services like UPS to dupe victims into entering their personal and financial information, or lead them to pages that download remote access trojans like zgRAT.
Lovable URLs have also been abused for investment scams and banking credential phishing, significantly lowering the barrier to entry for cybercrime. Lovable has since taken down the sites and implemented AI-driven security protections to prevent the creation of malicious websites.
Other campaigns have capitalized on deceptive deepfaked content distributed on YouTube and social media platforms to redirect users to fraudulent investment sites. These AI trading scams also rely on fake blogs and review sites, often hosted on platforms like Medium, Blogger, and Pinterest, to create a false sense of legitimacy.
"GenAI enhances threat actors' operations rather than replacing existing attack methodologies," CrowdStrike said in its Threat Hunting Report for 2025. "Threat actors of all motivations and skill levels will almost certainly increase their use of GenAI tools for social engineering in the near-to mid-term, particularly as these tools become more available, user-friendly, and sophisticated."
