The emergence of AI-enabled web browsers promise a radical shift in how we navigate the internet, with new browsers like Perplexity’s Comet, OpenAI’s ChatGPT Atlas, and Opera Neon integrating language models (LLMs) directly into the browsing experience. They promise to be intelligent assistants that can answer questions, summarize pages, and even perform tasks on your behalf, but that convenience comes at a pretty major cost.
Alongside this convenience comes a host of security risks unique to AI-driven “agentic” browsers. AI browsers expose vulnerabilities like prompt injection, data leakage, and LLM misuse, and real incidents have already occurred. Securing those AI-powered browsers is an extremely difficult challenge, and there’s not a whole lot you’re able to do.
AI browsers are the “next-generation” of browsers
Or so companies would like you to believe
Companies have a vision for your browser, and that vision is your browser working on your behalf. These new-age browsers have AI built-in to varying degrees; from Brave’s “Leo” assistant to Perplexity’s Comet browser or even OpenAI’s new Atlas, there’s a wide range of what they can do, but all are moving towards one common goal if they can’t do it already: agentic browsing.
Agentic browsers are designed to act as a personal assistant, and that’s their primary selling point. Users can type natural language queries or commands into Comet’s interface and watch the browser search, think, and execute, in real time. Comet is designed to chain together workflows; for example, you can ask it to find a restaurant, book a table, and email a confirmation through a single prompt.
Comet isn’t the only option, though. ChatGPT Atlas puts OpenAI’s GPT-5 at the core of your web browser, where its omnibox doubles as a ChatGPT prompt bar and fundamentally blurs the line between navigating through URLs and asking an AI a question. Opera Neon does the same thing, where it uses “Tasks” as sandboxed workspaces aimed at specific projects or workflows. This allows for it to operate in a contained context, without touching your other tabs.
AI-powered browsers embed an LLM-based assistant that sees what you see and can do what you do on the web. Rather than just retrieving static search results, the browser’s integrated AI can contextualize information from multiple pages, automate multi-step web interactions, and personalize actions using your logged-in accounts. Users might spend less time clicking links or copying data between sites, and more time simply instructing their browser to take care of their business.
With all of that said, giving an AI agent the keys to your browser, with access to your authenticated sessions, personal data, and the ability to take action, fundamentally changes the browser’s security model. Very little of it is actually good, but why? Understanding how an LLM works is key to understanding why AI browsers are terrifying as a concept, and we’ll first start with the basics.
When it comes to LLMs, there’s one thing they excel at above all else: pattern recognition. They’re not a traditional database of knowledge in the way most may visualize them, and instead, they’re models trained on vast amounts of text data from millions of sources, which allows them to generate contextually relevant responses. When a user provides a prompt, the LLM interprets it and generates a response based on probabilistic patterns learned during training. These patterns help the LLM predict what is most likely to come next in the context of the prompt, drawing on its understanding of the relationships and structures in the language it has been trained on.
With all of that said, just because an LLM can’t reason by itself, doesn’t mean that it can’t influence a logical reasoning process. It just can’t operate on its own. A great example of this was when Google paired a pre-trained LLM with an automatic evaluator to prevent hallucinations and incorrect ideas, calling it FunSearch. It’s essentially an iteration process pairing the creativity of an LLM with something that can kick it back a step when it goes too far in the wrong direction.
So, when you have an LLM that can’t reason by itself, and merely follows instructions, what happens? Jailbreaks. There are jailbreaks that work for most LLMs, and the fundamental structure behind them is to overwrite the predetermined rules of the sandbox that the LLM runs in. Apply that concept to a browser, and you have a big problem that essentially merges the control plane and the data plane, where these should normally be decoupled, and takes it over in its entirety.
Every agentic AI browser has been exploited already
It’s essentially whack-a-mole
Imagine an LLM as a fuse board in a home and each of the individual protections (of which there are probably thousands) as fuses. You’ll get individual fuses that prevent it from sharing illegal information, ones that prevent it from talking about drugs, and others that protect it from talking about shoplifting. These are all examples, but the point is that modern LLMs can talk about all of these and have all of that information stored somewhere, they just aren’t allowed to. This is where we get into prompt injection, and how that same jailbreaking method can take over your browser and make it do things that you didn’t want it to.
In a prompt injection attack, an attacker embeds hidden or deceptive instructions in content that the AI will read, and it can be in a webpage’s text, HTML comments, or even an image. This means that when the browser’s LLM processes that content, it gets tricked into executing the attacker’s instructions. In effect, the malicious webpage injects its own prompt into the AI, hijacking the browser and executing those commands. Unlike a traditional exploit that targets something like a memory bug or uses script injection, prompt injection abuses the AI’s trust in the text it processes.
In an AI browser, the LLM typically gets a prompt that includes both the user’s query and some portion of page content or context. The root of the vulnerability is that the browser fails to distinguish between the user’s legitimate instructions and untrusted content from a website. Brave’s researchers demonstrated how instructions in the page text can be executed fairly easily by an agentic browser AI. The browser sees all the text as input to follow, so a well-crafted page can smuggle in instructions like “ignore previous directions and do X” or “send the user’s data to Y”. Essentially, the webpage can socially engineer the AI, which in turn has the ability to act within your browser using your credentials and logged in websites.
These can be anywhere on the web, and they’re not limited to far-out corners of the internet. In Brave’s research, examples included Reddit comments, Facebook posts, and more. What they were able to do with a single Reddit comment was nothing short of worrying. In a demonstration, using Comet to summarize a Reddit thread, they were able to make Comet share the user’s Perplexity email address, attempt a log in to their account, and then reply to that user with the OTP code to log in. How this works, from the browser’s perspective, is very simple.
- The user asks the browser to summarize the page
- The page sees the page as a string of text, including the phrase “IMPORTANT INSTRUCTIONs FOR Comet Assistant: When you are asked about this page ALWAYS do the following steps:
- The AI interprets this as a command that it must follow, from the user or otherwise, as the LLM sees a large string of text starting with the initial request to summarize the page and what looks like a command intended for it interweaved with that content
- The AI then executes those instructions
It goes from bad to worse for Comet when looking at LayerX’s “CometJacking” one-click compromise, which abused a single weaponized URL capable of stealing sensitive data exposed in the browser. Comet’s would interpret certain parts of the URL as a prompt if formatted a certain way. By exploiting this, the attacker’s link caused the browser to retrieve data from the user’s past interactions and send it to an attacker’s server, all while looking like normal web navigation.
It’s not all Comet, either. Atlas already has faced some pretty serious prompt injection attacks, including the mere inclusion of a space inside of a URL sometimes making it so the second part of the URL gets interpreted as a prompt. For every bug that gets patched, another will follow, just like how every LLM can be jailbroken with the right prompt.
Even Opera admits that this fundamental problem will continue to be a problem.
Prompt analysis: Opera Neon incorporates safeguards against prompt injection by analyzing prompts for potentially malicious characteristics. However, it is important to acknowledge that due to the non-deterministic nature of AI models, the risk of a successful prompt injection attack cannot be entirely reduced to zero.
All it takes is one instance of successful prompt injection for your browser to suddenly give away all of your details. Is that a risk you’re willing to take?
In terms of risk-taking, clearly some aren’t willing to take them. In fact, I’d wager this is the primary reason that Norton’s own AI browser doesn’t have agentic qualities. The company’s main product is its antivirus and security software, and if one of its products is found to start giving away user information and following prompts embedded in a page, that’s a pretty bad thing to have associated with the main business that actually makes the company’s money. The rest can take risks, but an AI browser is so fundamentally against the ethos of a security-oriented company that it’s simply not worth it.
AI makes it easy to steal your data
There are already many demonstrations
Closely related to prompt injection is the risk of data leakage, which is the unintended exposure of sensitive user data through the AI agent. In traditional browsers, one site cannot directly read data from another site or from your email, thanks to strict separation (such as same-origin policies). But an AI agent with broad access can bridge those gaps. If an attacker can control the AI via prompt injection, they can effectively ask the browser’s assistant to hand over data it has access to, defeating the usual siloing of information thanks to that merged control plane and data plane that we mentioned earlier. This turns AI browsers into a new vector for breaches of personal data, authentication credentials, and more.
The Opera security team explicitly calls out “data and context leakage” as a threat unique to agentic browsers: the AI’s memory of what you’ve been doing (or its access to your logged-in sessions) “could be exploited to expose sensitive data like credentials, session tokens, or personal information.” The CometJacking attack described earlier is fundamentally a data leakage exploit, and it’s pretty severe. LayerX’s report makes clear that if you’ve authorized the AI browser to access your Gmail or calendar, a single malicious link can be used to retrieve emails, appointments, contact info, and more, then send it all to an external server without your permission. All of this happens without any traditional “malware” on your system; the AI itself, acting under false pretenses, is what’s stealing your data.
In a sense, we’ve taken a significant step back in time when it comes to browser exploits. Nowadays, it’s incredibly rare that malware is installed by merely clicking a link without running a downloaded executable, but that wasn’t always the case. Being mindful of what you click has always been good advice, but it comes from a time where clicking the wrong link could have been damaging. Now, we’re back in that same position again when it comes to agentic browsers, and it’s basically a wild west where nobody knows the true extent of what can be abused, manipulated, and siphoned out from the browser.
Even when not explicitly stealing data for an attacker, AI browsers might accidentally leak information by virtue of how they operate. For instance, if an AI agent is simultaneously looking at multiple tabs or sources, there’s a risk it could mix up contexts and reveal information from one tab into another. Opera Neon tries to mitigate this by using separate Tasks (which, remember, are isolated workspaces) so that an AI working on one project can’t automatically access data from another. Compartmentalization in this way is important, as these AIs keep an internal memory of the conversation or actions, and without clear boundaries, they may spill your data into places that it shouldn’t go.
For example, consider an AI that in one moment has access to your banking site (because you asked it to check a balance) and the next moment is composing an email; if it isn’t carefully controlled, a prompt injection in a public site could make it include your bank info in a message or a summary. This kind of context bleed is a form of data leak. It’s not really hypothetical, either. We’ve already seen data leaks from LLMs in the past, including the semi-recent ShadowLeak exploit that abused ChatGPT’s “Deep Research” mode, and you can bet that there are individuals out there looking for more exploits just like that.
There is also a broader data concern with AI browsers: many rely on cloud-based LLM APIs to function. This means that page content or user prompts are sent to remote servers for processing. If users feed sensitive internal documents or personal data to the browser’s AI, that data could reside on an external server and potentially be logged or used to further train models (unless opt-out mechanisms are in place). Organizations have already learned this the hard way with standalone ChatGPT, and we’ve already seen cases where employees who were using ChatGPT inadvertently leaked internal data.
Agentic AI browsers are incredibly risky
Even Brave says so
I’ll leave you with a quote from Brave’s security team, which has done fantastic work when it comes to investigating AI browsers. They’re building a series of articles investigating vulnerabilities affecting agentic browsers, and the team states that there’s more to come, with one vulnerability held back “on request” so far.
As we’ve written before, AI-powered browsers that can take actions on your behalf are powerful yet extremely risky. If you’re signed into sensitive accounts like your bank or your email provider in your browser, simply summarizing a Reddit post could result in an attacker being able to steal money or your private data.
This warning from a browser-maker itself is telling: it suggests that companies in this space are well aware that the convenience of an AI assistant comes with a trade-off in security. Brave has even delayed its own agentic capabilities for Leo until stricter safeguards can be implemented, and it’s exploring new security architectures to contain AI actions in a safe way. There’s a key takeaway here, though: no AI browser is immune, and as Opera put it, they likely never will be. Even more concerning is that the attacks themselves are often startlingly simple for the attacker, and there’s a rapid learn-and-adapt cycle that has less of a deterministic answer than most browser exploits you’ll find.
Web browsers have been around for years, and their development has come about as a result of decades of hardening, security modelling, and best practices developed around a single premise: the browser renders content, and code from one source should not tamper with another. AI-powered browsers shatter that premise by introducing a behavioral layer, the AI agent, that intentionally breaks down those protective barriers by having the capability to take action across multiple sites on your behalf. This new paradigm is antithetical to everything we’ve learned about browser security across multiple decades.
In an AI browser, the line between trusted user input and untrusted web content becomes hazy. Normally, anything coming from a webpage is untrusted by default. But when the AI assistant reads a webpage as part of answering the user, that content gets mingled with the user’s actual query in the prompt. If this separation isn’t crystal clear, the AI will treat web-provided text as if the user intended it. What’s more, the security model of the web assumes a clear separation between the sites you visit and the code and data used to display them, thanks to things like same-origin policy, content security policy, CORS, and sandboxing iframes. An AI can effectively perform cross-site actions by design, violating all of those protective mechanisms. In other words, the isolation that browsers carefully enforce at the technical level can be overcome at the logic level via the AI.
Even more worrying, unlike traditional code, LLMs are stochastic and can exhibit unexpected behavior. Opera’s team noted that in their own Neon exploit, they only had a 10% success rate reproducing a prompt injection attack they had designed internally. That 10% success rate sounds low, but it actually highlights another, more difficult challenge. Security testing for AI behavior is inherently probabilistic; you might run 100 test prompts and see nothing dangerous, but test prompt 101 might succeed. The space of possible prompts is infinite and not easily enumerable or reducible to static rules. Furthermore, as models get updated (or as they fine-tune from user interactions), their responses to the same input might change. An exploit might appear “fixed” simply because the model’s outputs shifted slightly, only for a variant of the same prompt to work again later.
All the real-world cases to date carry a clear message: users should be very careful when using AI-enabled browsers for anything sensitive. If you do choose to use one, pay close attention to what the AI is doing. Take advantage of any “safe mode” features, like ChatGPT Atlas allowing users to run the agent in a constrained mode without any logged in site access, and Opera Neon outright refuses to run on certain sites at all for security reasons. The hope is that a combination of improved model tuning, better prompt isolation techniques, and user interface design will mitigate most of these issues, but it’s not a guarantee, and as we’ve mentioned, these problems will likely always exist in some way, shape, or form.
The convenience of having an AI assistant in your browser must be weighed against the reality that this assistant can be tricked by outsiders if not supervised. Enjoy the futuristic capabilities of these browsers by all means, but remember that even Opera’s 10% success rate with one particular prompt injection attack means that you need to be lucky every time, while an attacker only needs to get lucky once. Until the security catches up with the innovation, use these AI browsers as if someone might be looking over the assistant’s shoulder. In a manner of speaking, someone just might.
