AI Browsers Are Here – and They’re Already Getting Hacked

AIai browser

Artificial intelligence–powered web browsers are the latest sensation in Silicon Valley — and also the newest cybersecurity headache.

This month, both OpenAI and Perplexity AI unveiled their AI browsers, pitching them as the next big leap for everyday internet use. These new tools let users navigate the web with a built-in “agent” capable of summarizing pages, drafting emails, managing shopping lists, or even writing social media posts.

But with that convenience comes a major risk: these agents can access your most sensitive online accounts — email, banking, cloud storage — and can be tricked into following hidden commands planted by hackers.

The Hidden Threat Inside Webpages

AI browsers work by letting their agents read and interpret every website a user visits. That’s also what makes them vulnerable. Malicious actors can plant invisible text or code — a type of attack called a prompt injection — designed to hijack the AI’s behavior.

A prompt injection can tell an AI to ignore its original instructions and follow new, hidden commands. In extreme cases, that might include sharing private data, sending unauthorized emails, or even making transactions.

“The crux of it is that these systems — whether it’s a browser or email automation — are inherently vulnerable to this kind of manipulation,” said Michael Ilie, head of research at HackAPrompt, which runs competitions for discovering prompt injections. “We’re playing with fire.”

A Game of Whack-a-Mole

Security teams are in a constant race to detect and patch these vulnerabilities. Companies including OpenAI, Perplexity, and Opera have confirmed they’re continually updating their browsers to counter prompt injection attacks.

Yet hackers and researchers keep finding new holes. Earlier this year, engineers at Brave Software — makers of the privacy-focused Brave browser — discovered a live vulnerability in Opera’s AI browser, Neon. The flaw allowed a hidden command on a webpage to make Neon’s AI agent steal a user’s email address and upload it to an attacker’s server. Opera said it has since patched the issue.

To prove how simple such attacks can be, Brave’s VP of privacy and security, Shivan Sahib, created a harmless demo site that displayed only “Hello” to human visitors. Behind the scenes, invisible instructions told the AI to fetch and send the user’s email — no permission asked.

“You could be doing something as innocent as summarizing a webpage,” Sahib said. “And suddenly, your AI is exposing your private data or draining your bank account.”

OpenAI and Perplexity Brace for Attacks

Even OpenAI’s new browser, Atlas, faces the same risk. The company’s chief information security officer, Dane Stuckey, acknowledged that prompt injections remain “an unsolved security problem.” His team has been red-teaming Atlas — testing it with simulated hacks — to find weaknesses before real attackers do.

Researchers have already discovered small-scale exploits in Atlas that could trick it through hidden text on word processing sites like Google Docs or Microsoft Word. The text, invisible to humans, is still read as commands by the AI.

OpenAI offers a “logged-out mode” that limits the damage hackers can do, but that mode also disables many of the browser’s most appealing features — such as sending emails or placing online orders. As Atlas’ lead developer Pranav Vishnu warned during its launch, users should “think carefully” about which tasks actually require logged-in access.

Meanwhile, Brave researchers also found two vulnerabilities in Perplexity’s AI browser, Comet. One hid malicious instructions inside a Reddit “spoiler” post. Another concealed commands in an image with text so faint only an AI could read it.

Perplexity’s deputy CTO, Jerry Ma, acknowledged the findings but said his team has built multiple layers of defense to prevent real-world harm. He advised users to pay attention to what their AI agent is doing — even as the company markets automation as a hands-free experience.

“With browsers, every single step is visible,” Ma said. “You can see it clicking, analyzing, acting. That transparency matters.”

Still, he downplayed the risks. “So far, the high-profile examples are academic. But we take every report seriously — our team literally works nights and weekends to make the system resilient.”

Ma also took a swipe at Brave for exposing vulnerabilities before releasing its own AI browser:
“Some companies focus on improving their products for users. Others seem more interested in pointing fingers,” he said.

The Bottom Line

AI browsers promise to revolutionize how we use the web — but they’re also opening a new frontier of cyber risk. Every hidden word or image could potentially contain a trap for an overly helpful AI agent.

As one security expert put it: “We’re giving AIs the keys to the kingdom — and hoping they don’t get tricked into opening the door.”

Source

Control F5 Team
Blog Editor
Relational Services
Web Applications
Dev Ops
Mobile Applications
MVP Development
Software Testing
UI / UX Design
OUR WORK
Case studies

We have helped 20+ companies in industries like Finance, Transportation, Health, Tourism, Events, Education, Sports.

 
AI Powered News Portal and Aggregation App
Web & Mobile Application Journalism
AI Powered News Portal and Aggregation App
Case Study
Data Computing Visualization Platform for Ernst & Young
Web Platform Financial
Data Computing Visualization Platform for Ernst & Young
Case Study
Suite of Applications for Fintech Trading Company
Suite of Applications Financial
Suite of Applications for Fintech Trading Company
Case Study
Reservation Platform For Travel Agency
Web Platform Travel
Reservation Platform For Travel Agency
Case Study
Online Road Tax Payment Platform
Web & Mobile Application Transportation
Online Road Tax Payment Platform
Case Study
Team Augmentation and Consultancy for A SaaS Company
Team Augmentation Hospitality
Team Augmentation and Consultancy for A SaaS Company
Case Study
Wedding Photographers And Videographers Marketplace
Marketplace Events
Wedding Photographers And Videographers Marketplace
Case Study
Portal & Online Magazine for Brides
Online Magazine Events
Portal & Online Magazine for Brides
Case Study
Custom eCommerce Solution for Cosmetics Company
Online Shop eCommerce
Custom eCommerce Solution for Cosmetics Company
Case Study
Web Application for Comparing Tariff Plans and Phone Offers
Web Application Telecom
Web Application for Comparing Tariff Plans and Phone Offers
Case Study
Dental Clinics Marketplace
Marketplace Health
Dental Clinics Marketplace
Case Study
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Backend System Travel
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Case Study
 
View all case studies
READY TO DO THIS
Let’s build something together
Contact us