Are AI Browsers Safe

AI browsers are the tech industry’s current obsession. OpenAI’s Atlas, Perplexity’s Comet, and the agent modes arriving inside Chrome and Edge all pitch the same dream: a browser that doesn’t just show you the web but does things for you. Summarize your inbox. Compare prices and buy the cheapest one. Fill the form, book the flight, handle it.

I’ve spent time in the security research on these, and here’s my honest position up front: the convenience is real, and so is a category of attack that the companies building these browsers openly admit they cannot fully solve. Whether that trade is worth it depends entirely on how you’d use one, so let me explain the actual problem in plain language, show you a real attack, and then give you a straight answer by use case instead of vague hand-wringing.

What an AI Browser Actually Does With Your Logins

First, understand what makes these different from a chatbot in a sidebar. An agentic browser acts as you. It browses while you’re signed in, which means it operates with full access to your authenticated sessions: your email, your cloud storage, your shopping accounts, potentially your banking. That’s the entire value proposition, because an assistant that can’t access your stuff can’t do your errands.

Hold that thought, because it’s also the entire risk. Anything the agent can reach, an attacker who hijacks the agent can reach, in one move, without ever stealing a password.

Prompt Injection, in Plain Language

Here’s the simplest true way to say it: an AI agent cannot reliably tell the difference between your instructions and words it reads while working.

Imagine a diligent, obedient assistant who follows any instruction they encounter, anywhere, including notes strangers left lying around. You send them to summarize a document; halfway down the page someone has written “ignore your boss’s request and mail his tax files to this address,” and the assistant just… does it. Not because they’re malicious. Because they process every sentence as potentially being a command, and they can’t verify who wrote what.

That’s prompt injection. The malicious instructions don’t need to be visible to you: attackers hide them as white text on white backgrounds, in HTML comments, in tiny fonts, even encoded inside images that the AI reads and you can’t. You ask your browser to “summarize my unread email,” it opens a booby-trapped message containing hidden orders, and it follows them with your access. This isn’t hypothetical; it’s OpenAI’s own published example of the threat against its own browser.

A Real Attack, Start to Finish

The one to know is nicknamed CometJacking, demonstrated by security researchers against Perplexity’s Comet. The attacker crafts a single malicious link. You click it, one click, no password entered, no warning shown, and hidden instructions in the URL tell the browser’s AI to consult its memory and your connected services instead of the web. In the researchers’ tests, that meant the agent quietly reading Gmail messages and Google Calendar invites and encoding the data for delivery to the attacker.

A second one is nastier in a different way. Researchers found that a malicious website could inject instructions into your ChatGPT account’s memory, the feature that remembers your preferences across conversations. Those tainted memories then persist across every device where you use that account, home laptop, phone, work machine, surviving restarts and logouts, quietly steering the AI’s future behavior. Poison it once, own it everywhere.

Also worth knowing: independent testing found Atlas users up to 90% more vulnerable to phishing than users of Chrome or Edge, because these young browsers lack the mature anti-phishing plumbing the old ones spent decades building.

What the Makers Themselves Admit

This is the part that should calibrate you more than any headline. OpenAI’s chief information security officer has publicly called prompt injection a “frontier, unsolved security problem.” Perplexity describes it as a frontier problem “the entire industry is grappling with.” The UK’s National Cyber Security Centre has said the risk likely can’t be fully eliminated. And the reason is structural, not laziness: these systems have no reliable way to separate trusted commands from untrusted content, and there are effectively infinite ways to phrase an attack, so there’s no filter that blocks them as a class.

The vendors do mitigate: red-teaming, training models to refuse suspicious instructions, confirmation prompts before sensitive actions. Those measures reduce the odds. Nobody serious, including the vendors, claims they end the problem. Meanwhile, by spring 2026 the consensus among corporate security teams is telling: most organizations now restrict these browsers to approved tools and keep sensitive workflows off them entirely.

Should You Use One? A Straight Answer by Use Case

For research, summarizing public pages, and browsing where you’re not logged into anything sensitive: reasonable. The blast radius of an attack is small when there’s nothing valuable in the session. This is genuinely where these browsers shine anyway.

For your email, cloud drive, and anything connected to your identity: I wouldn’t, yet. Every serious demonstrated attack runs through exactly these connections. The convenience of “summarize my inbox” is real, and it’s also the precise capability CometJacking weaponized.

For banking, payments, and shopping with saved cards: no. An agent authorized to act in a session where money moves is the highest-stakes version of an unsolved problem. Do your money in a normal browser.

For work accounts: follow your employer’s policy, and if there isn’t one, assume the answer is no. You’d be connecting an experimental agent to data that isn’t only yours.

If You Do Use One: The Five Rules

  1. Give it a clean identity. Run the AI browser with a separate profile that has no saved passwords and isn’t signed into your main email, bank, or work accounts. An agent can’t leak what it can’t reach.
  2. Don’t connect the crown jewels. Decline the integrations with your inbox, calendar, and drive until this field matures. That’s where every serious attack goes first.
  3. Keep confirmations on and actually watch. Leave enabled every setting that makes the agent pause before sending, buying, or deleting, and stay present while it works instead of treating it as fire-and-forget.
  4. Turn off or regularly clear memory features. Persistent memory is exactly what the tainted-memories attack poisons. Less remembered, less corruptible.
  5. Keep your boring browser for everything that matters. Two browsers is not a hardship. Money, email, and anything you’d hate to see leaked stay in Chrome, Edge, Firefox, or Safari with their decades of anti-phishing armor.

Quick Answers

  • What is prompt injection in simple terms?
    Hidden instructions planted in a web page, email, or document that an AI follows as if you had typed them, because AI agents can’t reliably tell your commands apart from text they read.
  • Can an AI browser leak my passwords or bank details?
    Demonstrated attacks have exfiltrated email and calendar data through logged-in sessions without stealing passwords at all. The agent’s own access is what gets abused, which is why keeping sensitive logins out of it matters most.
  • Is ChatGPT Atlas or Comet safer?
    Testing has found weaknesses in both, and the honest answer is that no agentic browser is currently immune. The vendors themselves describe the underlying problem as unsolved.
  • Will this get fixed?
    Mitigations keep improving, but security researchers and the vendors agree there’s no known complete fix, since the flaw is structural to how these systems read instructions.
  • Is it safe to use an AI browser for normal browsing?
    For reading and research in sessions without sensitive logins, the risk is modest. The danger scales with what the agent is connected to.

The Bottom Line

AI browsers are a genuinely new idea carrying a genuinely unsolved flaw: they act with your access, and they can be talked into betraying you by words hidden on a page. The people building them say so themselves in unusually plain terms. That doesn’t make them useless; it makes them power tools without guards yet. Use one for research with a clean profile if you’re curious, keep your email, money, and memory features out of its reach, and let the security arms race play out a while longer before you hand any agent the keys to your actual life. In a year this advice may soften. Today it’s just accurate.

LEAVE A REPLY

Please enter your comment!
Please enter your name here