AI browsers arrived with bold claims. They would handle routine tasks, summarize pages, even act as personal assistants inside the web itself. Yet fresh research keeps exposing serious weaknesses. The latest, from the University of Washington, shows how some of the most popular models break a bedrock of web security.
The study examined seven leading agentic AI browsers. Four of them — ChatGPT Atlas, Chrome with Gemini, Claude for Chrome, and Perplexity Comet — allow malicious sites to bypass the same-origin policy. That policy, in place for decades, prevents one website from reading data belonging to another. Break it, and an ad on an email page can quietly pull bank details or login credentials. University of Washington researchers ran a successful proof-of-concept against ChatGPT Atlas. The attack used prompt injection and memory poisoning. A hidden instruction on one page tricked the agent into fetching and submitting data from another origin.
But the problem runs deeper. Indirect prompt injection has emerged as a systemic flaw across the category. Bad actors embed commands in ordinary-looking web text or images. The AI agent, trained to follow natural language and complete tasks, obeys. It might forward emails, click phishing links, or exfiltrate data without the user noticing. Brave researchers called it “a systemic challenge facing the entire category of AI-powered browsers” after testing Perplexity’s Comet. (TechCrunch, October 2025)
Industry responses reveal a troubling gap between speed and safety.
OpenAI’s chief information security officer, Dane Stuckey, acknowledged the issue on X. “Prompt injection remains a frontier, unsolved security problem, and our adversaries will spend significant time and resources to find ways to make ChatGPT agents fall for these attacks.” Perplexity admitted the attacks manipulate the AI’s decision-making process itself, “turning the agent’s capabilities against its user.” The company said the severity demands rethinking security from the ground up. Brave, meanwhile, has pushed for better safeguards even as it offers its own Leo AI feature.
These findings echo earlier warnings. A Digital Trends report detailed the same University of Washington work, noting that more capable browsers carried greater risk. Microsoft Edge with Copilot, Brave Leo, and Firefox’s limited AI mode showed stronger defenses. Anthropic and Firefox offered no response to disclosures. Perplexity and OpenAI declined further action, citing incomplete demonstrations. Google, Microsoft, and Brave engaged with the researchers.
Enterprise and government users face even sharper exposure. Federal agencies already see AI browsers as a major 2026 risk. Agents inherit chatbot flaws — hallucinations, misaligned behavior, data leakage — while gaining autonomy over sensitive sessions. A single calendar invite once let attackers force Perplexity Comet to read local files, browse directories, and exfiltrate information, according to Zenity Labs research disclosed in March 2026. (CyberScoop)
Gartner advised organizations with low risk tolerance to block or pause autonomous AI browsers. The tools bypass established controls. They send tab contents to cloud services, execute code, and act with user-level privileges. Traditional data protections fall short when intent and identity blur between human and agent. By 2027, experts predict intent-based security will replace purely data-centric models. Purple-teaming — blending red and blue efforts into continuous, automated testing — has become non-negotiable. (FedScoop, December 2025)
And the threats keep arriving. HiddenLayer’s 2026 AI Threat Landscape Report, based on input from over 500 security professionals, highlights agentic AI as a growing vector for prompt injection, supply-chain attacks, and misuse. SquareX Labs and LayerX have cataloged additional architectural holes — sidebar spoofing, memory hijacking via CSRF, and zero-click data theft. One attack chain, dubbed “CometJacking,” let adversaries exfiltrate data through crafted URLs.
Companies race ahead anyway. Perplexity launched Comet. OpenAI rolled out Atlas. Mainstream browsers folded in AI sidebars and summarizers. Productivity gains look real. Yet the security foundation lags. Researchers at the University of Washington put it plainly. David Kohlbrenner said browser agents “aren’t ready for prime time” and users “should not trust that these systems are ready to truly protect your information.” Franziska Roesner added that the same-origin policy “is fundamental” and asked how companies can ship these tools when “how to make them safe is still an open question.”
So what now? Some vendors experiment with logged-out modes, real-time detection, or stricter sandboxing. Others push responsibility onto enterprises through policies or extensions. None has solved the core conflict: agents need broad access and contextual understanding to be useful. That same access makes them dangerous. Prompt injection persists as an unsolved frontier.
Security teams already report AI agent incidents spiking. One survey found 65 percent of firms hit in 2026, often through unsanctioned personal tools or extensions. The browser, once a relatively contained environment, now hosts autonomous actors that speak natural language, remember context, and act on behalf of users. Attackers don’t need zero-days. They need only a well-placed sentence on a webpage the agent happens to visit.
The pattern is clear. Each new capability brings fresh exposure. Memory poisoning lets planted instructions activate hours later. Image-based injections evade text filters. Calendar or email integrations open lateral movement paths. Enterprises that once worried about malicious extensions now confront AI agents with full session cookies and SSO tokens.
Researchers aren’t pulling alarms for sport. Their proof-of-concepts succeed against production tools used by millions. Vendors acknowledge the problem yet ship anyway. Federal guidance tightens. Gartner draws a line. The gap between hype and hardened reality grows wider with every launch.
Until the industry treats prompt injection and cross-origin risks as non-negotiable design constraints rather than afterthoughts, AI browsers will remain high-risk experiments. Useful, certainly. But safe? Not yet. Organizations must weigh productivity promises against the expanding attack surface. For many, the prudent move is still to watch, test in isolation, and block autonomous modes in sensitive environments. The technology will improve. The question is whether security catches up before the first major breach arrives.
Discover more from Web and IT News
Subscribe to get the latest posts sent to your email.
