Is it safe to use AI browsers like ChatGPT Atlas and Perplexity Comet? Researchers warn of major security vulnerability

The age of agentic AI enabled browsers is here with Perplexity's Comet and OpenAI's ChatGPT Atlas leading the charge while others like Opera Neon and The Browser Company's Dia also in the race. However, the new technology also brings with its a fresh set of security challenges and some of them were uncovered in a recent report.

Notably, a big part of Comet and Atlas's appeal is that they can complete multi-step actions on behalf of the user.However, Brave, the chromium based browser, has been vocal about the security threats that the so called agenetic AI browsers could propogate.

In an earlier report, Brave researchers had exposed a security vulnerability in Comet that allowed malicious websites to hijack the browser's AI assistant and perform unauthorized tasks

Brave researchers have exposed severe prompt injection vulnerabilities in Perplexity's AI browser, Comet. The security flaw could allow malicious websites to hijack the browser's AI assistant and perform unauthorized actions with the user's logged-in privileges via a technique called ‘Indirect prompt injections’

This technique involves the hacker embedding hidden commands within the webpage or social media commet or image which the AI takes up as the command from the user.

Brave once again sounds alarm about agentic browsers:

In its latest blogpost, Brave once again talked about the security vulnerabilities found in Comet assistant that allows attackers to inject prompt and get the assistant to do tasks which the user did not intended.

The report says that Comet allows users to take screenshots of websites and ask questions about those images but attackers are now injecting prompts by embedding the malicious instructions as nearly invisible text within the image.

“An attacker embeds malicious instructions in Web content that are hard to see for humans. In our attack, we were able to hide prompt injection instructions in images using a faint light blue text on a yellow background. This means that the malicious instructions are effectively hidden from the user.” Brave explained in its blogpost

The AI assistant then extracts the text from the screenshot and the injected command instructs it to use browser tools maliciously.

The researchers were also able to bypass the security parameters of another agentic AI browser called Felou. They found that asking the browser to go to a website causes it to send the website's content to its LLM. Eventually, the AI ends up sending both the user command the malicious command on the webpage to the LLM that instructs the AI to use browser tools maliciously.

"The security vulnerability we found in Perplexity’s Comet browser this summer is not an isolated issue. Indirect prompt injections are a systemic problem facing Comet and other AI-powered browsers." Brave warned in a social media post.

OpenAI was also well aware about the risks of agentic AI based browser as it launched Atlas on Tuesday.

“Despite all of the power and awesome capabilities that you get with sharing your browser with ChatGPT, that also poses an entirely new set of risks” an OpenAI employee admitted during the Atlas live-stream.

While the ChatGPT maker says Atlas can not access other data on the computer except the browser tabs, the company did not clarify how its browser is better protected against prompt injections. Some users on social media have also begun claiming that Atlas is also vulnerable to prompt injections, similar to Comet.