AI-browseragenten gehackt in minder dan 4 minuten — Agentic Blabbering, WordPress SQLi & n8n RCE actief misbruikt
Perplexity's Comet AI-browser werd in minder dan vier minuten verleid tot een phishing-scam. Een kritieke WordPress SQLi treft meer dan 250.000 sites. CISA beveelt noodpatches voor actief misbruikte n8n RCE.
🤖 AI Agents: The New Attack Vector
⚠️ CRITICAL — AI Browser Agents Vulnerable to Social Engineering
Researchers at Guardio demonstrated that Perplexity's Comet AI browser — designed to autonomously navigate the web on behalf of users — can be tricked into entering credentials on phishing pages in under four minutes. The technique exploits a fundamental weakness they call "Agentic Blabbering."
What Is Agentic Blabbering?
Agentic web browsers powered by AI don't just click links — they reason aloud about what they see, what they believe is happening, and what they plan to do next. This internal narration, when intercepted by a malicious page, becomes a weapon. Attackers can read the agent's reasoning, understand its security assessments in real time, and craft responses that systematically disarm its defenses.
"The AI now operates in real time, inside messy and dynamic pages, while continuously requesting information, making decisions, and narrating its actions along the way," explained Guardio researcher Shaked Chen. "This is what we call Agentic Blabbering: the AI Browser exposing what it sees, what it believes is happening, what it plans to do next, and what signals it considers suspicious or safe."
The 4-Minute Exploit Chain
- Bait page: Attacker creates a page that looks like a legitimate service requiring login
- Reasoning interception: The malicious page reads the AI agent's internal reasoning about whether the page is safe
- Adaptive persuasion: Based on the agent's expressed concerns, the page dynamically adjusts its legitimacy signals
- Credential entry: The AI agent, now convinced the page is safe, enters the user's stored credentials
The entire attack — from first page load to credential theft — took under four minutes with no human interaction required.
🔓 WordPress SQLi: 250K+ Sites at Risk
Elementor Ally Plugin Vulnerability
A critical SQL injection vulnerability has been discovered in Ally, a WordPress accessibility plugin from Elementor with more than 400,000 installations. The flaw (not yet assigned a CVE) allows unauthenticated attackers to extract sensitive data from the WordPress database — including admin credentials, user data, and configuration secrets.
Impact: Any WordPress site running the Ally plugin is potentially vulnerable. The attack requires no authentication and can be executed remotely. At least 250,000 sites confirmed using vulnerable versions.
Recommended Actions
- Update the Ally plugin immediately when a patch is released
- Implement a Web Application Firewall (WAF) with SQLi rules
- Audit database access logs for suspicious query patterns
- Rotate all database credentials as a precaution
🚨 n8n RCE: CISA Orders Emergency Patching
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch a remote code execution vulnerability in n8n, the popular open-source workflow automation platform. The flaw is being actively exploited in the wild.
n8n is widely used in enterprise environments for workflow automation, integrating hundreds of services including Slack, GitHub, databases, and cloud platforms. A successful RCE exploit gives attackers full control over the n8n server and access to all connected service credentials.
Why This Matters for AI-Driven Organizations
n8n is increasingly used as the orchestration layer for AI agent workflows. If your AI agents use n8n to chain actions across services, a compromised n8n instance means every connected service is compromised — including your AI models, data pipelines, and customer-facing APIs.
🔍 The Expanding Attack Surface of Autonomous AI
Three Converging Threats
Today's three stories share a common thread: autonomous AI tools are creating attack surfaces faster than security teams can map them.
| Threat Vector | Tool Category | Risk Level | Impact |
|---|---|---|---|
| Agentic Blabbering | AI Browsers | CRITICAL | Credential theft via AI reasoning exploitation |
| Plugin SQLi | CMS Plugins | CRITICAL | Unauthenticated database exfiltration |
| Automation RCE | Workflow Engines | CRITICAL | Full server + credential compromise |
What Security Teams Must Do Now
- Inventory all AI agents — Know every autonomous tool that can act on behalf of your organization
- Limit AI agent permissions — Apply least-privilege to AI browsers, workflow engines, and automation tools
- Monitor AI agent behavior — Log and audit what AI agents access, submit, and connect to
- Patch automation platforms — n8n, Zapier alternatives, and custom orchestration layers must be patched within 24 hours of CVE disclosure
- Scan for plugin vulnerabilities — WordPress, CMS plugins, and SaaS integrations are the #1 entry point