These days, AI browsers are quite popular as all the AI companies are racing to launch an AI-powered browser. But some security researchers have uncovered new vulnerabilities in AI-powered browsers that allow hidden instructions, known as prompt injections, to manipulate users’ browsers without their knowledge. The findings, shared by Brave, highlight risks in Comet, Fellou, and potentially other agentic browsers.
The research, conducted by Artem Chaikin (Senior Mobile Security Engineer) and Shivan Kaul Sahib (VP, Privacy and Security), builds on prior discoveries involving Perplexity’s Comet browser. Unlike traditional browsers, agentic AI browsers can act on a user’s behalf, making even simple commands potentially dangerous if malicious instructions are injected.
One risky attack uses Comet’s screenshot feature. When the AI reads the image, it treats the hidden text as a command and can carry it out. For example, faint light blue text on a yellow background can trick the AI and let attackers control the browser, even on sensitive accounts.
Fellou browser, while resistant to hidden-image attacks, still risks prompt injection through website navigation. Visiting a site with embedded malicious instructions can let the AI interpret visible content as trusted input, overriding user intent and carrying out harmful actions.
“These vulnerabilities highlight a systemic challenge in agentic browsers,” the researchers wrote. “AI assistants acting on behalf of users blur the line between trusted and untrusted content, making standard web protections less effective.”
The findings underscore the inherent dangers of agentic browsing. Researchers urge browsers to isolate AI actions from regular browsing and require explicit user approval for sensitive tasks like opening websites or reading emails. Until broader safety measures are implemented, using AI assistants to navigate sensitive sites carries risk.
