AI Browsers Like Atlas, Comet Face ‘Systemic’ Risk of Prompt Injection, Security Researchers Warn

Brave Software, the company behind the Brave browser, has uncovered new security flaws across AI-powered browsers, warning that “agentic browsing” — where AI tools act on behalf of users — introduces deep systemic risks.

The findings come on the same day OpenAI unveiled ChatGPT Atlas, a new web browser designed with ChatGPT integrated at its core — marking the company’s biggest push yet to make AI a seamless part of everyday web use.

The latest findings expand on Brave’s earlier disclosure of the Perplexity Comet vulnerability, revealing that indirect prompt injection is not an isolated issue but a widespread threat in the emerging category of AI browsers.

According to Brave’s researchers, attackers can exploit hidden instructions in websites or images to hijack AI assistants and access sensitive data. In one case, Perplexity’s Comet feature — which lets users take and analyze webpage screenshots — was found vulnerable to malicious text embedded in images.

"As we’ve written before, AI-powered browsers that can take actions on your behalf are powerful yet extremely risky. If you’re signed into sensitive accounts like your bank or your email provider in your browser, simply summarising a Reddit post could result in an attacker being able to steal money or your private data," Shivan Kaul Sahib, VP, Privacy and Security, and Artem Chaikin, Senior Security Engineer at Brave, wrote in a blog post.

These nearly invisible instructions, once captured, are processed as legitimate commands, allowing attackers to manipulate browser tools.

A similar flaw was discovered in Fellou Browser, where simply visiting a compromised website could transmit malicious instructions to the AI model. This allows the attacker’s commands to override user intent and perform unauthorized actions.

Brave responsibly disclosed both issues — reporting Perplexity’s vulnerability on October 1 and Fellou’s on August 20, before publicly releasing details on October 20.

The company cautions that conventional web protections, like same-origin policies, fail when AI assistants act with user-level permissions. Such vulnerabilities could expose banking, healthcare, or enterprise accounts through seemingly harmless actions like summarizing a Reddit thread.

Brave concludes that these incidents point to a fundamental flaw: the lack of clear separation between trusted user input and untrusted web content. Until AI browsers adopt stricter isolation and user-triggered safeguards, the company warns, agentic browsing remains “inherently dangerous.”