OpenAI and Perplexity are racing to replace Chrome with AI-powered browsers that act on users' behalf, but cybersecurity experts warn these agents create unprecedented privacy risks through prompt injection attacks that could expose emails, make unauthorized purchases, and compromise sensitive data. The vulnerability affects the entire AI browser category and has no clear solution.
The AI browser wars just got a lot more dangerous. OpenAI's freshly launched ChatGPT Atlas and Perplexity's Comet are positioning themselves as the intelligent successors to Chrome, promising to handle everything from booking flights to managing your calendar. But security researchers are sounding alarms about a fundamental flaw that could turn these helpful agents against users.
The problem centers on prompt injection attacks - a relatively new vulnerability where malicious actors embed hidden instructions on web pages that can hijack an AI agent's behavior. When an AI browser visits a compromised site, it might suddenly start forwarding your private emails, making unauthorized purchases, or posting on your social media accounts.
"There's a huge opportunity here in terms of making life easier for users, but the browser is now doing things on your behalf," Brave senior research engineer Shivan Sahib told TechCrunch. "That is just fundamentally dangerous, and kind of a new line when it comes to browser security."
Brave's latest research published this week declares prompt injection attacks a "systemic challenge facing the entire category of AI-powered browsers." The privacy-focused browser company previously flagged vulnerabilities in Perplexity's Comet but now warns the issue spans the entire industry.
Both companies are scrambling to address these concerns. OpenAI Chief Information Security Officer Dane Stuckey acknowledged on X that "prompt injection remains a frontier, unsolved security problem" and that adversaries will "spend significant time and resources" trying to exploit ChatGPT agents. Perplexity went further, stating the problem "demands rethinking security from the ground up" because attacks "manipulate the AI's decision-making process itself."
The technical reality is sobering. Unlike traditional browsers that simply display web content, AI agents need extensive permissions to be useful - access to your email, calendar, contacts, and the ability to click buttons and fill forms on your behalf. TechCrunch's testing found these agents work reasonably well for simple tasks but often feel more like "party tricks" than productivity boosters.
McAfee CTO Steve Grobman explains the core issue: large language models struggle to distinguish between their core instructions and external data they're processing. "It's a cat and mouse game," he told TechCrunch. "There's a constant evolution of how the prompt injection attacks work."
The attack methods are already evolving rapidly. Early techniques used hidden text instructing agents to "forget all previous instructions" and expose user data. Now attackers are embedding malicious commands in images using hidden data representations that are invisible to human users.
Both companies have implemented defensive measures. OpenAI created a "logged out mode" where agents can't access user accounts while browsing, limiting both functionality and potential damage. Perplexity built real-time detection systems for prompt injection attempts. But security experts warn these safeguards aren't foolproof.
The timing couldn't be more critical. With millions of users likely to try ChatGPT Atlas following its high-profile launch, these vulnerabilities could affect more consumers than ever before. Rachel Tobac, CEO of SocialProof Security, warns that AI browser credentials will become prime targets for attackers.
"Users should ensure they're using unique passwords and multi-factor authentication for these accounts," Tobac advised. She recommends limiting early AI browsers' access to sensitive accounts involving banking, health, and personal information until security improves.
The browser landscape is at an inflection point. While Google Chrome maintains its dominance, AI-powered alternatives promise a fundamentally different browsing experience. But as these tools become more capable, they're also becoming more dangerous. The question isn't whether prompt injection attacks will happen - it's how quickly the industry can develop effective defenses before widespread adoption makes these vulnerabilities a mainstream security crisis.
The AI browser revolution is happening whether we're ready or not, but the security foundations are still shaky. While OpenAI and Perplexity deserve credit for acknowledging these risks upfront, prompt injection attacks represent an unsolved problem that could undermine user trust in AI agents. Until stronger defenses emerge, users should approach these powerful new tools with healthy skepticism and limit their access to sensitive data. The convenience of having an AI handle your digital tasks might not be worth the risk of having that same AI turned against you.
