Is it safe to use AI browsers like ChatGPT Atlas and Perplexity Comet? Researchers warn of major security vulnerability

The era of agentic AI-enabled browsers is here, with Perplexity’s Comet and OpenAI’s ChatGPT Atlas taking the lead, while others like Opera Neon and The Browser Company’s Dia are also in the running. However, the new technology also brings with it a new set of security challenges, some of which have been exposed in a recent report. ​Notably, a large part of Comet and Atlas’ appeal is that they can complete multi-step actions on behalf of the user. However, Brave, the Chromium-based browser, has been outspoken about the security threats that the so-called agent AI browsers can spread. In an earlier report, Brave researchers uncovered a security issue in Comet that allowed malicious websites to hijack the browser’s AI assistant and perform unauthorized tasks. Brave researchers have exposed serious rapid injection vulnerabilities in Perplexity’s AI browser, Comet. The security flaw could allow malicious websites to hijack the browser’s AI assistant and perform unauthorized actions with the user’s logged-in privileges via a technique called ‘Indirect Rapid Injection’. This technique involves the hacker embedding hidden commands within the web page or social media comment or image, which the AI ​​takes as the user’s command. ​Brave again sounds alarm about agentic browsers ​In its latest blog post, Brave again talked about the security vulnerabilities found in the Comet assistant that allow attackers to inject an incentive and get the assistant to do tasks that the user did not intend. The report says that Comet allows users to take screenshots of websites and ask questions about those images, but attackers are now injecting commands by embedding the malicious instructions as nearly invisible text into the image. Agent capabilities of Atlas ​”An attacker injects malicious instructions into web content that is difficult for humans to see. In our attack, we were able to hide quick injection instructions in images by using a dim light blue text on a yellow background. This means that the malicious instructions are effectively hidden from the user,” Brave explained in its blog post. The AI ​​assistant then extracts the text from the screenshot, and the injected command instructs it to maliciously use browser tools. The researchers were also able to bypass the security parameters of another agent AI browser called Felou. They found that asking the browser to go to a website causes it to send the website’s content to its LLM. Finally, the AI ​​eventually sends both the user command and the malicious command on the web page to the LLM, which instructs the AI ​​to use browser tools maliciously. “The security vulnerability we found in Perplexity’s Comet browser this summer is not an isolated issue. Indirect rapid injections are a systemic problem facing Comet and other AI-powered browsers,” Brave warned in a social media post. OpenAI was also well aware of the risks of agentic AI-based browsers when it launched Atlas on Tuesday. “Despite all the power and amazing capabilities you get from sharing your browser with ChatGPT, it also comes with a whole new set of risks,” an OpenAI employee admitted during the Atlas live stream. ​While the ChatGPT maker says that Atlas does not have access to other data on the computer besides the browser tabs, the company did not explain how its browser is better protected against rapid injections. Some users on social media have also started claiming that Atlas is also vulnerable to rapid injections, similar to Comet.