Yet another research breaks the hype bubble for AI browsers serving serious security flaws

News Room

AI browsers are being sold as the next big thing. They can summarize pages, book trips, and even make purchases for you. But a new study from the University of Washington found that four of the seven most popular ones come with a security risk serious enough to let malicious websites steal data from other sites you have open. The more capable the browser, the bigger the risk turns out to be.

The 30-year security rule that AI browsers are breaking

Since 1995, every browser has followed a rule called the same-origin policy, which prevents websites from reading each other’s data. If you have your bank open in one tab and visit a sketchy site in another, that sketchy site cannot touch your banking information. AI browsers need to bypass this rule to function, since completing tasks across multiple tabs requires reading across different sites.

That broader access is exactly what attackers can exploit through two methods. The first is prompt injection, where a malicious webpage hides secret instructions that the AI agent follows without realizing it has been manipulated, potentially exposing your private emails, passwords, or calendar details.

The second method is memory poisoning, where planted instructions get stored in the agent’s memory and activate later, even after the original page is closed. Researchers ran a successful proof-of-concept attack on ChatGPT Atlas, demonstrating the risk is real. Claude for Chrome was flagged as particularly risky because its browser extension design lets it inject code directly into webpages.

Which AI browsers are safe and which ones put your data at risk?

Out of seven browsers, ChatGPT Atlas, Chrome with Gemini, Claude for Chrome, and Perplexity Comet were found vulnerable. Microsoft Edge with Copilot, Brave Leo, and Firefox AI Mode showed stronger security properties, though Firefox was also the most limited in capability.

Researchers disclosed the findings to all companies involved. Anthropic and Firefox did not respond. Whereas Perplexity and OpenAI declined to act, arguing the researchers lacked a complete end-to-end attack demonstration. Meanwhile, Google, Microsoft, and Brave engaged constructively with the findings.

This follows the recent BioShocking exploit, which also showed how AI browsers can be manipulated by context. Right now, the research suggests AI browsers may still be moving faster than their security can keep up.

Read the full article here

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *