OpenAI and Microsoft just launched AI-powered browsers that cybersecurity experts are calling a "time bomb." ChatGPT Atlas and Edge's Copilot Mode can answer questions and take actions on your behalf, but researchers have already found critical flaws allowing attackers to inject malicious code and steal sensitive data. The rush to market means these browsers haven't been thoroughly tested, creating what experts describe as an exponentially growing attack surface.
The AI browser arms race just turned dangerous. OpenAI and Microsoft kicked off a new era last week with ChatGPT Atlas and Copilot Mode for Edge, but cybersecurity researchers are sounding alarm bells about what they're calling a "minefield of new vulnerabilities."
The timing couldn't be worse. These AI-powered browsers are hitting the market in what Hamed Haddadi, professor at Imperial College London and chief scientist at Brave, calls "a market rush." He warns that "these agentic browsers have not been thoroughly tested and validated," creating what amounts to a massive experiment with user security.
The evidence is already piling up. In just the past few weeks, security researchers uncovered critical flaws in Atlas that let attackers exploit ChatGPT's memory function to inject malicious code, grant themselves access privileges, or deploy malware. Similar vulnerabilities in Perplexity's Comet browser allow hackers to hijack the AI with hidden instructions embedded in websites.
But OpenAI and Perplexity acknowledge these "prompt injections" as frontier problems without clear solutions. Even OpenAI's chief information security officer Dane Stuckey admitted the threat is real, though he described it as an unsolved challenge facing the entire industry.
The competitive landscape is driving this risky rollout. Google is integrating Gemini into Chrome, Opera launched Neon, and startups like The Browser Company's Dia are all racing to control what Haddadi calls "the gateway to the internet." Even Sweden's Strawberry browser is actively targeting "disappointed Atlas users" while still in beta.
What makes AI browsers uniquely dangerous is their intimate knowledge of users. Yash Vekaria, a UC Davis computer science researcher, explains they're "much more powerful than traditional browsers" because AI memory functions learn from everything - browsing history, emails, searches, conversations with AI assistants. The result is "a more invasive profile than ever before," coupled with stored credit card details and login credentials that hackers would love to access.
The AI agents themselves create the biggest security nightmare. Unlike humans who develop common sense about online threats, these agents will blindly visit suspect websites, click dangerous links, and input sensitive information where it doesn't belong. Worse, they can be hijacked through prompt injections hidden in images, form fields, emails, or even invisible white text on white backgrounds.
"Interaction with agents allows endless 'try and error' configurations," Haddadi explains. Hackers can keep trying different approaches until they break through, creating what Shujun Li, a University of Kent cybersecurity professor, calls "exponentially increasing" zero-day vulnerabilities. Since attacks start with the agent, detection gets delayed, potentially leading to bigger breaches.
The attack scenarios are chilling. Independent researcher Lukasz Olejnik envisions hackers using hidden instructions to steal personal data or redirect shopping deliveries by changing saved addresses. Vekaria warns it's "relatively easy to pull off attacks" given current AI browser safeguards, adding that "browser vendors have a lot of work to do."
For now, experts recommend extreme caution. Li suggests people "operate in an AI-free mode by default" and only use AI features "when they absolutely need it." If you must use AI agents, Vekaria advises providing verified safe websites rather than letting agents choose - "it can end up suggesting and using a scam site."
This isn't just another tech security issue. It's a fundamental shift in how browsers work, with AI memory creating unprecedented user profiles while agents act autonomously based on potentially malicious instructions. As Olejnik puts it, referencing past technology rollouts: "Here we go again." But this time, the stakes involve not just individual privacy but the security of our entire web browsing experience.
The AI browser revolution is happening whether we're ready or not, but the security implications are staggering. With OpenAI and Microsoft leading a market rush that prioritizes features over security testing, users are becoming unwitting beta testers for potentially dangerous technology. The prompt injection vulnerabilities already discovered in Atlas and Comet represent just the tip of the iceberg. As more companies integrate AI agents directly into browsers, we're looking at an explosion of attack vectors that traditional security measures weren't designed to handle. Until browser vendors implement robust safeguards and thorough testing, users might want to think twice before letting AI take the wheel of their web browsing experience.
