AI Browsers Face A New Kind Of Attack, And It Puts Your Privacy At Risk

Companies like OpenAI, Perplexity, and The Browser Company are in a race to build AI browsers that can do more than just display webpages. It feels similar to the first browser wars that gave us Netscape Navigator, Internet Explorer, and Firefox. Today, AI browsers, including ChatGPT's Atlas, Perplexity's Comet, and The Browser Company's Dia, aim to think, act, and make decisions for you.

With traditional browsers, you go to a search engine, type a query, and it returns a list of results. You pick where you want to go. Conversational AI assistants like ChatGPT or Google Gemini take it a step further by summarizing information for you. AI browsers go further still by completing tasks for you. When you tell ChatGPT Atlas to find a cocktail bar nearby and book a table, it evaluates options, navigates to booking pages, and attempts to make the reservation itself. Doing this requires the browser to process both your instructions and the content of every webpage it visits.

But the problem with large language models (LLMs) is that they can't fundamentally distinguish between commands from a trusted source (you) and text embedded in untrusted content (a random website). An attacker can embed malicious instructions into a webpage. That could be in the form of white text on a white background, buried in HTML comments, or hidden in an image. When the AI browser reads that page to summarize it or act on it, it processes those hidden instructions alongside your original request. This kind of attack is called prompt injection.

Prompt injection gives attackers access to everything the AI agent can reach, which, by design, is a lot. To be genuinely useful, AI browsers need access to your email, calendar, contacts, payment information, and browsing history. ChatGPT Atlas builds browser memories from your activity if you allow it. Comet is able to connect to your Google account. The whole point is to give the AI enough context to act in a way that's smart and convenient. But every integration becomes a potential exfiltration path.

Researchers at Brave demonstrated how easily this can happen with Perplexity's Comet browser. They embedded a prompt injection inside a Reddit comment, hidden behind a spoiler tag. When a user asked Comet to summarize the page, the AI followed those hidden instructions: navigating to the user's email and extracting messages to an external server. The user never clicked anything suspicious. All they asked for was a summary. Security researchers have highlighted similar attacks that trick AI browsers into forwarding emails, extracting saved passwords, making fake purchases, and downloading malware.

In fact, there's a newer technique called HashJack that has been described by security experts at Cato Network as "the first known indirect prompt injection that can weaponize any legitimate website to manipulate AI browser assistants." Here's how it works: when you visit a website, its servers scan incoming requests for anything suspicious. But everything after the # in a URL (called a fragment) never gets sent to the server. It stays in your browser. So attackers can hide malicious instructions there, and the server has no idea. Your AI browser reads it, processes it, and follows it. This goes to show how difficult defending against this is since bad actors exploit the very architecture of how large language models process information.

AI browsers can also be manipulated into giving you wrong information. In testing the HashJack flaw, Cato Networks showed how a prompt injection hidden in a URL caused AI browsers to display inaccurate medication dosages while browsing a trusted pharmaceutical site. 

Because the browser presents that altered information so confidently, how is a regular person supposed to tell that something's wrong? Microsoft's Copilot, Perplexity's Comet, and Google's Gemini were all susceptible to this attack, and the truth is that AI browsers today offer convenience at a security cost most users don't fully understand. And that's why you shouldn't switch to an AI browser just yet. To be fair, these companies are trying various mitigations. Anthropic uses reinforcement learning to train Claude to recognize and refuse suspicious instructions. OpenAI introduced a logged-out mode that limits what the agent can access while browsing.

But none of these approaches completely solve the underlying problem. LLMs are designed to be flexible, to respond to natural language in all its variations. That same flexibility makes them susceptible to manipulation. You can train a model to recognize known attack patterns, but bad actors can always craft more sophisticated attacks. The race to build an AI browser that's both useful and trustworthy is ongoing. Right now, the industry has the first part figured out. But from all indications, the second part remains very much a work in progress.