TL;DR

Modern AI agents (browser plugins, desktop assistants, or "autonomous" scripts) read page content and decide actions (click, type, run JS). Invisible UI tricks (white-on-white text, transparent overlays, non-printing Unicode, URL fragments) let sites hide instructions the agent will consume. Together they let an attacker steer the agent - causing data leaks or unwanted actions - without the human noticing.

Three high-impact protections you can do right now:

</p><ol><li>Run agents only in a dedicated browser/profile that never has banking, healthcare, admin, or other sensitive sessions open.</li><li>Require confirmations: disable automatic JS or automated click/run actions by agent; require explicit approval for any autofill or sensitive action.</li><li>Treat autofill as a privilege: set password managers to require an on-screen confirmation before filling, and keep autofill off in your agent profile.</li></ol><p>

The problem, in one picture

  • Agent = software that reads webpages/screenshots and acts (clicks, types, runs scripts).
  • Invisible UI tricks = techniques pages use to hide instructions or fake UI (white text, transparent overlays, hidden Unicode, hash fragments).
  • Why dangerous together: a human would often notice weird text or overlays. An agent that consumes everything (including hidden content) can be tricked into following attacker instructions and performing actions the human never intended.

Example headline scenario

An agent that can handle your calendar reads a malicious calendar event that contains hidden instructions; later, when you ask the agent to "handle calendar invites," it follows the hidden instruction and downloads or executes something.

Two attack families

A. Indirect prompt injection (hidden instructions aimed at the agent)

Attackers embed instructions the agent will read as part of page content - not meant for the human. Techniques include:

  • White-on-white or transparent text the human won't see
  • Non-printing Unicode that looks invisible
  • Hash fragments (example.com/page#<payload>) that the page's DOM or the agent exposes
  • Invisible DOM nodes or CSS overlays

What attackers aim for: steer the agent by giving it instructions (e.g., "copy the secret from the page and send it to X"), often combined with social engineering.

Primary impacts: data exfiltration (agent reads and leaks what it can access), unintended actions (downloads, messages, privilege escalation).

Vendor guidance: vendors (Microsoft, Anthropic) warn that pages visited by an agent become part of its input and thus a potential attack surface. Agents that run JS or have deep platform privileges widen the possible damage.

B. Clickjacking / UI redressing (invisible overlays)

The site overlays invisible or shifted UI elements so that a click appears to target a benign button but actually activates a hidden control (e.g., an autofill trigger, file download, or confirmation).

  • Why this worsens with agents: agents click deterministically and fast; an invisible overlay that would trip up a distracted human can reliably trigger an agent action.
  • Password-manager intersection: some extension-injected UIs can be manipulated via DOM/CSS so autofill is triggered without visible indicator.

Primary impacts: involuntary autofill into attacker-controlled fields, unauthorized submissions, or automated chains that culminate in data leakage.

Why the risk is more urgent now

  • Agents reduce the "human noticing" defenseHumans catch weirdness; agents don't (unless specifically trained/filtered).
  • Agents act faster and deterministicallyAttackers can craft content that reliably triggers agent behavior.
  • Sensitive sessions are commonMany people keep banking, email, and admin sessions open - an agent that can read visible content or screenshots may see secrets.
  • Composabilityattackers chain prompt injection + clickjacking + autofill to create multi-step exploits that a human would likely stop mid-stream.

What can go wrong - concrete examples

  • Data exfiltrationagent reads a page containing account data then posts it to an attacker endpoint.
  • Unintended actionsthe agent clicks "approve" on an app permission, triggers a download that executes, or submits a form leaking a session token.
  • Autofill abuseinvisible overlays cause the password manager to fill credentials into attacker fields; agent then reads those fields and exfiltrates them.
  • Social-engineered escalationcalendar/event content instructs the agent to "run this script" when you later ask it to handle a calendar task.

High-value protections

Immediate - do this today

  • Dedicated "Agent" browser/profileKeep one profile (Chrome/Edge/Firefox) for agents and never log into banking, healthcare, payroll, or other sensitive services there. Anthropic and other vendors explicitly recommend separate profiles. Keep password manager logged out in the agent profile or require manual unlock and explicit per-fill approval.
  • Require explicit approvals for agent actionsTurn off automatic JS execution for agents. Require the agent to present an action summary and get an explicit "yes" before any click/JS/run/download that touches external resources or local files. For password managers: enable the "require approval" or "confirm autofill" setting.
  • Avoid running agents with sensitive pages openClose tabs with sensitive contexts (email, admin consoles, banking). The agent shouldn't be able to "see" those tabs.

Near term - configure & harden

  1. Disable automatic autofill in agent profiles; require confirmation. Treat autofill as a convenience, not a default.
  2. Limit agent permissions: screenshot, clipboard, native file access - set to deny or ask each time.

Quick "agent-safe" checklist

  • Create a dedicated browser/profile for agents; never open sensitive tabs there.
  • Turn off automatic script execution for agents and require explicit confirmations.
  • Turn off automatic autofill; require password manager confirmation for each fill.
  • Disable agent screenshot / clipboard / file access unless explicitly required and confirmed.
  • Use masked emails and virtual cards for new signups encountered by agents.

How vendors & defenders should respond

  • Agent vendorsadopt robust sanitization (strip hidden CSS/text), normalize Unicode, provide a safe render API that excludes hidden nodes, and require confirmation for any tool action that writes/executes/exports.
  • Password managersrequire explicit user approval for autofill; make autofill flows resistant to DOM/CSS manipulation.
  • Site owners & devsavoid putting instructions into fragments or hidden text; if you need agent-facing content, publish it on a vetted endpoint.
  • Enterprise ITenforce agent policies via MDM/allowlists and ban running agents in managed profiles that have sensitive sessions.

Ivy's AI processes queries in real time. For details about processing, retention, and temporary results, see our Privacy Policy. Masked emails forward messages to your inbox; forwarded messages are temporarily cached and handled per our Privacy Policy. Feature availability and integrations may vary by plan and region; see getivy.ai.

Set up your agent safely today

Get step-by-step agent safety guidance, Risk Checkup, and masked identities - all in one place.