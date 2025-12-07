Companies like OpenAI, Perplexity, and The Browser Company are in a race to build AI browsers that can do more than just display webpages. It feels similar to the first browser wars that gave us Netscape Navigator, Internet Explorer, and Firefox. Today, AI browsers, including ChatGPT's Atlas, Perplexity's Comet, and The Browser Company's Dia, aim to think, act, and make decisions for you.

With traditional browsers, you go to a search engine, type a query, and it returns a list of results. You pick where you want to go. Conversational AI assistants like ChatGPT or Google Gemini take it a step further by summarizing information for you. AI browsers go further still by completing tasks for you. When you tell ChatGPT Atlas to find a cocktail bar nearby and book a table, it evaluates options, navigates to booking pages, and attempts to make the reservation itself. Doing this requires the browser to process both your instructions and the content of every webpage it visits.

But the problem with large language models (LLMs) is that they can't fundamentally distinguish between commands from a trusted source (you) and text embedded in untrusted content (a random website). An attacker can embed malicious instructions into a webpage. That could be in the form of white text on a white background, buried in HTML comments, or hidden in an image. When the AI browser reads that page to summarize it or act on it, it processes those hidden instructions alongside your original request. This kind of attack is called prompt injection.