“Sandboxing Web AI Agents with Cellmate”
Martedì 24 Marzo 2026, ore 9:00 - Aula 1BC45 - Earlence Fernandes (UC San Diego)
Abstract
Web AI agents see and act on websites through screenshots and UI manipulations. They have the same access to those websites as the logged-in user. This ambient authority is dangerous because AI models are fundamentally vulnerable to issues like prompt injection where attackers can hijack the models and force them into performing dangerous tasks. In this talk, I will make the case for how a systems security approach can limit the damage that attackers can cause on web AI agents. I will first describe new attacks on Gemini Computer Use to show how easy it is for attackers to cause damage (e.g., data exfiltration, account takeover). This shows that despite significant investment in safety alignment, attackers can always find workarounds, often without needing sophisticated technical skill. Then I will describe Cellmate, a sandbox we are actively developing that helps create agentic browsing sessions with programmatic privilege control.
More info
