Web browsers are getting awfully verbose. They got even more chatty last week after OpenAI and Microsoft kicked the AI browser race into high gear with ChatGPT Atlas and “co-pilot mode” for Edge. They can answer questions, summarize pages, and even take action on your behalf. The experience isn’t glossy yet, but it points to a more convenient future where your browser does all the thinking for you. This future could also be a minefield of up-to-date security vulnerabilities and data leaks, cybersecurity experts warn. The signs are already here, as scientists say Edge chaos is just beginning.
Atlas Mode and Copilot are part of a broader effort to control internet gateways and put artificial intelligence directly into the browser itself. This action transforms once-standalone chatbots running on separate pages or apps into a platform you exploit to navigate the Internet. They are not alone. Established players are also in the race, such as Google, which is integrating its Gemini AI model with Chrome; Opera, which launched Neon; and The Browser Company with Dia. Startups are also eager to stake their claims, such as AI startup Perplexity — best known for its AI-powered search engine, which made its Comet AI-powered browser available to everyone in early October — and Sweden’s Strawberry, which is still in beta and actively attacks “disappointed Atlas users”.
Just in the last few weeks, researchers have discovered something like this gaps in the Atlas allowing attackers to exploit ChatGPT “memory” to inject malicious code, grant themselves access privileges, or deploy malware. Flaws discovered in the comet could allow attackers to hijack the browser’s AI via hidden instructions. Embarrassment, via blogand OpenAI chief information security officer Dane Stuckey last week identified rapid injections as a large threat, though both described it as a “borderline” problem with no clear solution.
“Despite installing several heavy defenses, the attack surface is huge,” says Hamed Haddadi, professor of human-centered systems at Imperial College London and chief scientist at web browser company Brave. And what we see is just the tip of the iceberg.
In the case of AI browsers, there are many threats. First of all, they know much more about you and are “much more efficient than traditional browsers,” says Yash Vekaria, a computer science researcher at the University of California, Davis. Vekaria claims that “there is a direct risk of tracking and profiling by the browser itself,” even more so than with standard browsers. AI “memory” features are designed to learn from everything a user does or shares, from browsing to emails to searches, as well as conversations with the built-in AI assistant. This means you’re probably sharing a lot more than you realize, and the browser is remembering it all. The result is “a more invasive profile than ever before,” Vekaria says. Hackers would like to get their hands on this information, especially when combined with stored credit card and login details that are often found in browsers.
Another threat is inherent in the implementation of any up-to-date technology. No matter how careful developers are, there will inevitably be weaknesses that hackers can exploit. This can include bugs and coding errors that accidentally expose sensitive data, or stern security vulnerabilities that could allow hackers to gain access to your system. “This is just the beginning, so risky vulnerabilities are to be expected,” says Łukasz Olejnik, an independent cybersecurity researcher and senior visiting research fellow at King’s College London. He points to “early abuses of Office macros, malicious browser extensions, and mobile phones [the] introducing permissions” as examples of past security issues associated with implementing new technologies. “Here we go again.”
Some vulnerabilities are never discovered—sometimes leading to devastating zero-day attacks, named after there are no days to fix the vulnerability—but thorough testing can reduce the number of potential problems. For AI browsers, “the biggest immediate threat is market momentum,” Haddadi says. “These agent browsers have not been thoroughly tested and validated.”
But the defining feature of AI browsers, artificial intelligence, is where the worst threats lurk. The biggest challenge is AI agents acting on behalf of the user. Like humans, they can visit suspicious websites, click suspicious links, and enter sensitive information in places it shouldn’t be, but unlike some humans, they lack the learned common sense that helps keep us safe online. Agents can also be misled, or even kidnapped, for nefarious purposes. You just need to have the right instructions. So-called quick injections can range from blatantly obvious to subtle and effectively hidden in plain sight in things like images, screenshots, form fields, email messages and attachments, and even something as simple as white text on a white background.
Worse still, these attacks can be very difficult to predict and defend. Automation means bad actors can keep trying again until the agent does what they want, Haddadi says. “Interacting with agents allows for endless trial-and-error configurations and exploration of methods for inserting malicious prompts and commands.” There is simply a much greater chance that a hacker will break through while interacting with an agent, opening up a huge space for potential attacks. Shujun Li, professor of cybersecurity at the University of Kent, says “zero-day vulnerabilities are skyrocketing” as a result. What’s worse: Li says that when a vulnerability starts with an agent, detection will also be delayed, meaning potentially larger breaches.
It’s not hard to imagine what may await us. Olejnik sees scenarios where attackers use hidden instructions to trick AI browsers into sending personal information or steal purchased goods by changing a stored address on a shopping page. Worse still, Vekaria warns that “it’s relatively uncomplicated for attacks to be carried out” given the current state of AI browsers, even with security measures in place. “Browser vendors have a lot of work to do to provide end users with greater security and privacy,” he says.
For some threats, experts say the only real way to stay safe when using AI browsers is to simply avoid the marquee feature altogether. Li suggests that people spare AI “only when absolutely necessary” and know what they are doing. Browsers should “default to AI-free mode,” he says. If you must use the AI agent feature, Vekaria recommends hand-holding. When setting the assignment, provide the agent with verified websites that you know are safe rather than letting them find them themselves. “You may end up suggesting and using a scam website,” he warns.