Web browsers are becoming extremely chatty. They’re even more in the conversation after OpenAI and Microsoft ramped up the AI browser race last week with ChatGPAT Atlas and “Copilot Mode” for Edge. They can answer questions, present summaries of pages, and even take actions on your behalf. The experience isn’t intuitive yet, but it points toward a more convenient, practical future where your browser does a lot of the thinking for you. Cyber security experts have warned that the future could also be a storehouse of new vulnerabilities and data leaks. The signs are already here, and researchers explain The Verge The chaos has just begun.
Atlas and Copilot Mode are part of a broader land grab to control gateways to the Internet and bake AI directly into the browser itself. This push is transforming what were once standalone chatbots onto separate pages or apps that you use to navigate the web. They are not alone. Established players are also in the race, such as Google, which is integrating its Gemini AI model into Chrome; Opera, which launched Neon; and browser company, with Dia. Startups are also keen to stake a claim, such as AI startup Perplexity – known for its AI-powered search engine, which made its AI-powered browser Comet freely available to everyone in early October – and Sweden’s Strawberry, which is still in beta and Actively going after “frustrated Atlas users”.
In the last few weeks, researchers have revealed this Vulnerabilities in Atlas Allows attackers to take advantage of ChatGPT’s “memory” to insert malicious code, grant themselves access privileges, or deploy malware. Flaws found in comet This could allow attackers to hijack the browser’s AI with hidden instructions. confusion, through a blogAnd Dan Stuckey, OpenAI’s chief information security officer, last week acknowledged instant injections as a major threat, though both described them as a “marginal” problem with no concrete solutions.
“Despite having some heavy guardrails, there is a huge attack surface,” says Hamed Haddadi, professor of human-centered systems at Imperial College London and chief scientist at the web browser company Brave. And what we’re seeing is just the tip of the iceberg.
With an AI browser, the threats are innumerable. Most importantly, they know far more about you and “are far more powerful than traditional browsers,” says Yash Vekariya, a computer science researcher at UC Davis. Even more than standard browsers, Vekaria says, “there is an imminent risk from being tracked and profiled by the browser.” AI “memory” functions are designed to learn from everything a user does or shares, from browsing to email to searches, as well as interactions with the built-in AI assistant. This means you’re probably sharing more than you realize, and the browser remembers it all. The result, says Vekaria, is “a more aggressive profile than ever before”. Hackers will want to get hold of that information, especially if it is associated with stored credit card details and login credentials often found on browsers.
Another risk is inherent in the implementation of any new technology. No matter how careful developers are, there will inevitably be vulnerabilities that hackers can take advantage of. This can include bugs and coding errors that accidentally expose sensitive data and can also lead to major security flaws that could give hackers access to your system. “It’s early days, so risky vulnerabilities are expected to emerge,” says Lukasz Olejnik, an independent cybersecurity researcher and visiting senior research fellow at King’s College London. He points to “early Office macro abuse, malicious browser extensions, and mobile before the introduction of permissions” as examples of past security issues associated with the rollout of new technologies. “Here we go again.”
Some vulnerabilities are never found – sometimes leading to devastating zero-day attacks, nicknamed the zero day before the flaw was fixed – but thorough testing can reduce the number of potential problems. With AI browsers, “the biggest immediate threat is market congestion,” Haddadi says. “These agentive browsers have not been fully tested and verified.”
But the defining feature of AI browsers, AI, is where the worst threats are arising. The biggest challenge comes with AI agents that act on behalf of the user. Like humans, they are capable of visiting suspicious websites, clicking on suspicious links, and inserting sensitive information in places where sensitive information should not go, but unlike some humans, they lack the learned common sense that helps keep us safe online. Agents can be misled, even kidnapped, for nefarious purposes. All it takes is the right instructions. So-called quick injections can range from the blatantly obvious to the subtle, from the blatantly hidden to the obvious in things like images, screenshots, form fields, emails and attachments, and even in something as simple as white text on a white background.
What’s worse, these attacks can be very difficult to predict and defend against. Haddadi says automation means bad actors can try again and again until the agent does what they want. “Interaction with agents allows for endless ‘trial and error’ configuration and discovery of ways to insert malicious signals and commands.” A hacker has a much greater chance of breaking in when interacting with an agent, opening up a larger window for potential attacks. “Zero-day vulnerabilities are growing rapidly as a result,” says Shujun Li, professor of cybersecurity at the University of Kent. Even worse: Lee says that since the flaw starts with one agent, there will be a delay in detection, too, meaning potentially larger breaches.
It’s not hard to imagine what might be in store. Olejnik sees scenarios where attackers use hidden instructions to get an AI browser to send personal data or steal purchased goods by changing the address saved on a shopping site. To make things worse, Vekaria warns that given the current state of AI browsers, even with security measures in place, “attacks are relatively easy to prevent”. “Browser vendors have a lot of work to do to make them more safe, secure and private for end users,” he says.
For some threats, experts say the only real way to stay safe using an AI browser is to avoid marquee features altogether. Lee suggests that people save AI “only for when they absolutely need it” and know what they are doing. Browsers “should operate in AI-free mode by default,” he says. If you have to use AI agent features, Vekaria recommends some degree of hand-holding. When assigning a task, give the agent verified websites that you know are safe, rather than letting it do the task on its own. “This could result in someone suggesting and using a scam site,” he warned.
