Is it safe to use AI browsers like ChatGPT Atlas and Perplexity Comet? Researchers warn of major security vulnerability

The age of agentic AI-enabled browsers is here, with Perplexity’s Comet and OpenAI’s ChatGPT Atlas leading the charge, while others like Opera Neon and The Browser Company’s Dia are also in the race. However, the new technology also brings with it a fresh set of security challenges, and some of them were uncovered in a recent report.

​Notably, a big part of Comet and Atlas’s appeal is that they can complete multi-step actions on behalf of the user. However, Brave, the Chromium-based browser, has been vocal about the security threats that the so-called agentic AI browsers could propagate.

​In an earlier report, Brave researchers had exposed a security vulnerability in Comet that allowed malicious websites to hijack the browser’s AI assistant and perform unauthorized tasks.

​Brave researchers have exposed severe prompt injection vulnerabilities in Perplexity’s AI browser, Comet. The security flaw could allow malicious websites to hijack the browser’s AI assistant and perform unauthorized actions with the user’s logged-in privileges via a technique called ‘Indirect prompt injection.’

​This technique involves the hacker embedding hidden commands within the webpage or social media comment or image, which the AI takes up as the command from the user.

​Brave once again sounds alarm about agentic browsers

​In its latest blog post, Brave once again talked about the security vulnerabilities found in the Comet assistant that allows attackers to inject a prompt and get the assistant to do tasks which the user did not intend.

​The report says that Comet allows users to take screenshots of websites and ask questions about those images, but attackers are now injecting prompts by embedding the malicious instructions as nearly invisible text within the image.

​“An attacker embeds malicious instructions in Web content that are hard to see for humans. In our attack, we were able to hide prompt injection instructions in images using a faint light blue text on a yellow background. This means that the malicious instructions are effectively hidden from the user,” Brave explained in its blog post.

​The AI assistant then extracts the text from the screenshot, and the injected command instructs it to use browser tools maliciously.

​The researchers were also able to bypass the security parameters of another agentic AI browser called Felou. They found that asking the browser to go to a website causes it to send the website’s content to its LLM. Eventually, the AI ends up sending both the user command and the malicious command on the webpage to the LLM, which instructs the AI to use browser tools maliciously.

​”The security vulnerability we found in Perplexity’s Comet browser this summer is not an isolated issue. Indirect prompt injections are a systemic problem facing Comet and other AI-powered browsers,” Brave warned in a social media post.

​OpenAI was also well aware about the risks of agentic AI-based browsers as it launched Atlas on Tuesday.

​“Despite all of the power and awesome capabilities that you get with sharing your browser with ChatGPT, that also poses an entirely new set of risks,” an OpenAI employee admitted during the Atlas live-stream.

​While the ChatGPT maker says Atlas can not access other data on the computer except the browser tabs, the company did not clarify how its browser is better protected against prompt injections. Some users on social media have also begun claiming that Atlas is also vulnerable to prompt injections, similar to Comet.