A new security report suggests that AI-powered browsers – the kind that can read, summarise, and even take actions on your behalf – might be more dangerous than they appear.
According to new vulnerability research from Brave’s security team, hidden prompt injections are being discovered across multiple AI browsers, including Perplexity’s Comet and Fellou, revealing that these tools could unintentionally expose sensitive user data.
The team’s latest findings expand on a previous discovery in Perplexity Comet, showing that attackers can embed malicious instructions inside screenshots. When a user asks the browser’s AI to summarise an image, hidden text can be extracted and executed as a command.
That could lead to an AI assistant acting on those commands using the user’s authenticated browser privileges, potentially accessing email, banking, or corporate accounts.
In another case, Brave’s researchers found that the Fellou browser could be manipulated simply by visiting a compromised website. When users asked the AI to navigate to a page, the browser passed both the user’s request and the site’s text to its language model, letting attackers override the user’s intent with their own malicious instructions.
Brave’s Senior Mobile Security Engineer Artem Chaikin and VP of Privacy and Security Shivan Kaul Sahib, who authored the report, said these issues highlight “a systemic challenge facing the entire category of AI-powered browsers.” In short, the same AI that makes browsing easier can also make it riskier, blurring the line between what’s safe and what isn’t.
The implications go beyond these two apps. As the report notes, long-standing web security protections like the same-origin policy, which normally prevent one website from accessing data from another, don’t hold up when an AI assistant has permission to act for the user. A simple prompt hidden on a page or even in a Reddit comment could trigger dangerous cross-domain actions.
Brave’s team says it’s continuing to research ways to make agentic browsing safer and recommends browsers separate AI-assisted actions from regular browsing until stronger safeguards are developed.
For now, the takeaway is clear: AI browsers may be the next frontier in web convenience – but they’re also opening up a whole new class of risks.
