New Threat Landscape: AI Browsers Create Agentic Vulnerabilities & Amplified Data Risk
AI-powered browsers are rapidly reshaping the familiar landscape of web browsing, evolving from passive tools for displaying pages into active participants in user interaction. Following the recent launch of Copilot Mode in Microsoft Edge and the integration of ChatGPT Atlas from OpenAI, attention to the security risks surrounding these technologies has sharply increased. Cybersecurity experts warn that convenience comes at a price — a new wave of vulnerabilities that could lead to large-scale data breaches.
These developments represent not merely the incorporation of AI into browsers, but a fundamental transformation of how users engage with the internet itself. The initiatives led by Microsoft and OpenAI have inspired others: Google is embedding the Gemini model into Chrome, Opera is experimenting with its Neon platform, and startups such as Perplexity and Strawberry are introducing their own AI-driven solutions. Perplexity’s new Comet browser was recently made publicly available, while the Swedish firm Strawberry positions its product as an alternative for those disillusioned with Atlas.
However, new features inevitably bring new threats. Researchers have identified loopholes in Atlas that allow attackers to inject malicious commands through ChatGPT’s memory mechanism, while vulnerabilities in Comet can be exploited to manipulate the AI’s behavior via hidden prompts. Both Perplexity’s representatives and OpenAI’s Chief Information Security Officer have acknowledged that such attacks — leveraging specially crafted instructions — remain one of the most challenging problems to mitigate.
According to Hamed Haddadi, Chief Scientist at Brave, even with restrictive safeguards, these systems create a vast new attack surface. AI browsers are far more deeply integrated into user behavior and collect significantly more information than traditional browsers. Their memory mechanisms record not only online actions but also the contents of emails, search queries, and conversations with built-in assistants — forming an exceptionally detailed behavioral profile. If such data were to fall into the wrong hands, the consequences could be severe, especially given that browsers often store passwords and payment information.
An additional risk stems from the inherent instability of emerging technologies. Independent researcher Lukasz Olejnik draws parallels with the early misuse of macros in Microsoft Office, malicious extensions, and vulnerabilities in mobile systems before the advent of permission frameworks — suggesting that AI browsers are repeating this historical cycle. As these technologies remain in their infancy, the likelihood of critical flaws emerging is particularly high.
The defining feature of modern AI browsers — their ability to perform agentic actions on behalf of users — is also their greatest weakness. An AI can autonomously visit websites, follow links, and enter confidential data, yet unlike humans, it lacks intuition and can be easily deceived. A hidden instruction concealed within an image, email, form, or even white text on a white background could trick the system into executing harmful commands. Automation only amplifies this danger, allowing attackers to endlessly refine their tactics until success.
Professor Shujun Li of the University of Kent notes that such covert vulnerabilities are increasingly at the root of zero-day attacks. Since these flaws originate at the agent level, detection may take considerable time — expanding the scale of potential damage. Possible attack scenarios include exfiltrating personal data or altering delivery addresses on e-commerce platforms.
Even with existing safeguards, launching an attack on an AI browser today remains relatively simple, warns Yash Vekaria of the University of California. He stresses that developers face a formidable task in making these systems truly secure. The most reliable strategy, he concludes, is to disable AI features by default and limit their use to clearly defined, controlled contexts where the risks are understood and manageable.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
