Is it safe to use AI browsers like ChatGPT Atlas and Perplexity Comet?

The emergence of AI-enabled browsers, such as Perplexity's Comet and OpenAI's ChatGPT Atlas, marks a significant advancement in web technology. However, this innovation also introduces new security challenges, as highlighted in a recent report. Both Comet and Atlas are designed to handle multi-step actions on behalf of users, enhancing convenience but raising concerns over potential security vulnerabilities. Brave, a Chromium-based browser, has been particularly vocal about the risks associated with these so-called agentic AI browsers. In a previous investigation, Brave researchers uncovered a serious security flaw in Comet that could allow malicious websites to take control of the AI assistant, executing unauthorized tasks. This vulnerability, known as ‘Indirect prompt injection,’ enables attackers to embed hidden commands within web content, which the AI interprets as user instructions. The implications of this flaw are alarming. The report indicates that Comet allows users to take screenshots of websites and ask questions based on those images. However, attackers have been found to inject malicious prompts by embedding nearly invisible text within these images. As Brave explains, “An attacker embeds malicious instructions in Web content that are hard to see for humans,” posing a significant risk to unsuspecting users. In tests, Brave demonstrated how attackers could manipulate the AI assistant into executing harmful commands by cleverly disguising their instructions. Furthermore, researchers also identified vulnerabilities in another AI browser, Felou, revealing that it could inadvertently send both user commands and malicious instructions to its large language model (LLM). Brave warns that the vulnerabilities found in Comet are not isolated incidents, but rather indicative of a broader issue affecting multiple AI-enabled browsers. OpenAI, recognizing these risks, acknowledged the potential dangers associated with its Atlas browser during its launch presentation. While OpenAI claims that Atlas only accesses browser tabs and not other computer data, it has not provided specific details on how it addresses the threat of prompt injections. With growing concerns over these vulnerabilities, some users have started to voice apprehensions on social media, suggesting that Atlas may share similar security weaknesses as Comet. As the AI browser landscape evolves, users must remain vigilant about the potential risks these advanced technologies may pose.