Originally published at: Be Cautious with Agentic Web Browsers - TidBITS
At The Verge, Robert Hart writes:
In the past few weeks alone, researchers have uncovered vulnerabilities in Atlas allowing attackers to take advantage of ChatGPT’s “memory” to inject malicious code, grant themselves access privileges, or deploy malware. Flaws discovered in Comet could allow attackers to hijack the browser’s AI with hidden instructions. Perplexity, through a blog, and OpenAI’s chief information security officer, Dane Stuckey, acknowledged prompt injections as a big threat last week, though both described them as a “frontier” problem that has no firm solution.
Read Hart’s article for more details on the security and privacy concerns plaguing agentic browsers, but in short, they’re all somewhat vulnerable to “prompt injection” attacks, in which malicious instructions are concealed within content read by an AI. These instructions could be hidden in HTML comments, white text on a white background, or in the page metadata. They might trick the chatbot into requesting personal information or instruct the browser to download and execute malware.
Right now, agentic browsers have limited defenses against prompt injections. While AI systems can distinguish between system instructions and user content at the architectural level, they can’t reliably identify malicious instructions hidden within legitimate content encountered on Web pages. To an LLM, all text is tokens, and all tokens carry essentially equal weight. These browsers do employ input sanitization and prompt classification, and there are guardrails in place, but we’re talking about an entirely new attack space, making it impossible to anticipate and block all potential attacks.
However, there aren’t yet enough users of these agentic browsers to attract sophisticated cybercriminals, and the browsers don’t work well enough to be reliably exploited, so I’m comfortable using one occasionally for experimentation (see “Can Agentic Web Browsers Count?,” 30 October 2025). I think it’s safest to avoid using an agentic browser as your daily driver for now, though. At best, they are one-trick AI ponies that offer few features to enhance the human-powered Web browsing we all do.
