Thinking of Using an AI Browser? Think Again.

A security researcher at BRAVE recently exposed a critical flaw in AI-powered browsers that could put users’ accounts at risk. According to the research, these browsers are vulnerable to indirect prompt injection attacks, which could allow hackers to access accounts that are currently logged in.

Here’s how the attack works: a hacker can hide malicious instructions within webpage content—using methods like white text on a white background, HTML comments, or even social media posts. In a demonstration involving Comet (the AI browser from Perplexity), the attacker embedded instructions in a Reddit comment behind a spoiler tag. When a user clicked the “Summarize this webpage” button, the AI failed to distinguish between the user’s request and the hidden commands, executing everything automatically.

In the demo, the hidden instructions told Comet to access the user’s Perplexity account, retrieve their email, open Gmail (where they were already logged in), get a one-time password, and post both pieces of information back to the Reddit comment. Essentially, the attacker could take over the user’s account with just a single click.

What makes this vulnerability particularly alarming is that these AI browsers run with your logged-in privileges. If you’re signed in to sensitive services like your bank or email, hidden instructions could potentially access these accounts, stealing data or even money. The risk is compounded by the fact that attackers could hide instructions in screenshots using nearly invisible text, or, in some browsers, simply navigating to a malicious website could automatically send content to the AI without any user action.

Until browser makers implement proper security measures that clearly separate user instructions from webpage content, it’s important to exercise caution when using AI-powered browsers. Only share what’s necessary, and be aware that the AI may execute commands you didn’t explicitly request.