Analysis

The emergence of agentic AI browsers, including Perplexity's Comet and OpenAI's ChatGPT Atlas, is introducing significant cybersecurity risks, primarily through "indirect prompt injection" vulnerabilities. Brave browser researchers have demonstrated how malicious actors can exploit these flaws to hijack AI assistants and perform unauthorized actions, even embedding hidden commands within images. This systemic issue allows attackers to bypass user intent and security parameters, as seen with the Felou browser. Specifically, the vulnerability in Comet enables attackers to embed nearly invisible malicious instructions within images or web content, which the AI assistant then extracts and uses as malicious commands. This technique allows the AI to use browser tools maliciously, as demonstrated by Brave's findings. Similar prompt injection vulnerabilities have been reported by users for OpenAI's Atlas, despite the company acknowledging inherent risks. OpenAI, while aware of the new risks associated with sharing browser access with ChatGPT, has not clarified how Atlas is specifically protected against such prompt injections. This lack of detailed protection, coupled with the systemic nature of indirect prompt injections, suggests a significant challenge for the security of these platforms. The overall sentiment surrounding this development is strongly negative (-0.7) and cautious, indicating serious concerns within the industry.