AI browsers represent a major security threat

Amid the AI boom, AI web browsers, such as Perplexity’s Fellou and Comet, are starting to appear on corporate desktops. Such apps are touted as the next evolution of the humble browser, and come with built-in AI features; They can read web pages, summarize web pages and – at their most advanced – act on web content independently.

At least in theory, the AI browser promises to speed up digital workflows, conduct online research, and retrieve information from internal sources and the broader Internet.

but, Security research teams They conclude that AI browsers pose serious risks to the organization that cannot simply be ignored.

The problem lies in the fact that AI browsers are highly vulnerable to indirect injection attacks. These are where the form in the browser (or accessed via the browser) receives instructions hidden in specially designed websites. By embedding text into web pages or images in ways that are difficult for humans to discern, AI models can be fed instructions in the form of AI prompts, or modifications to user-entered prompts.

The bottom line for IT departments and decision makers is that AI browsers are not yet suitable for enterprise use, and represent a significant security threat.

Automation meets exposure

In tests, researchers discovered that text embedded in online content is processed by the AI browser and interpreted as instructions for the intelligent model. These instructions can be executed using user privileges, so the more access to information a user has, the greater the risk to the organization. The autonomy that AI gives to users is the same mechanism that amplifies the attack surface, and the greater the autonomy, the greater the potential scope for data loss.

For example, it is possible to embed text commands in an image that, when viewed in a browser, could trigger an AI assistant to interact with sensitive assets, such as corporate email, or online banking dashboards. Another test showed how an AI assistant’s prompt could be hacked and made to perform unauthorized actions on the user’s behalf.

These types of vulnerabilities clearly go against all principles of data governance, and are the most obvious example of how “shadow AI” in the form of an unauthorized browser poses a real threat to enterprise data. The AI model acts as a bridge between domains, circumventing same-origin policies — the rule that prevents data from one domain from being accessed by another.

Implementation and governance challenges

The root of the problem is the merging of user queries in the browser with live data accessed via the web. If an LLM cannot distinguish between safe and malicious input, it can easily access and act on data that was not requested by a human operator. When given agent capabilities, the consequences can be far-reaching, and can easily cause a cascade of malicious activity across an organization.

For an organization that relies on data hashing and access control, a compromised AI layer in a user’s browser can circumvent firewalls, enable token exchanges, and use secure cookies in the same way a user would. Effectively, the AI browser becomes an insider threat, with access to all the data and facilities of its human operator. The browser user will not necessarily be aware of the activity “under the hood”, so an infected browser may operate for long periods of time undetected.

Reducing the threat

IT teams should view first-generation AI browsers in the same way they approach unauthorized installation of third-party software. While it’s relatively easy to prevent certain programs from being installed by users, it’s worth noting that major browsers like Chrome and Edge come with increasing numbers of AI features in the form of Gemini (in Chrome) and Copilot (in Edge). Browser companies are actively exploring the potential of AI-enhanced browsing, and proxy features (which give significant autonomy to the browser) will quickly emerge, driven by the need for a competitive advantage among browser companies.

Without proper oversight and controls, organizations expose themselves to significant risks. The following features should be checked for future generations of browsers:

Immediate isolation, separating user intent from third-party web content before generating an LLM claim.
Gated permissions. AI agents should not be able to perform autonomous actions, including navigation, data retrieval, or file access, without explicit confirmation from the user.
Sensitive browsing (e.g. HR, finance, internal dashboards, etc.) is sandboxed so there is no AI activity in these sensitive areas.
Governance integration. Browser-based AI must align with data security policies, and the software must provide logs to make it easier to track agent actions.

To date, no browser vendor has offered an intelligent browser with the ability to distinguish between user-driven intent and model-interpreted commands. Without it, browsers may be forced to act against the organization through the relatively trivial use of instant injection.

Takeaway for the decision maker

Agentic AI browsers are being presented as the next logical evolution in web browsing and workplace automation. They are deliberately designed to blur the distinction between user activity/human activity and become part of interactions with an organization’s digital assets. Because LLMs in AI browsers are easily circumvented and damaged, the current generation of AI browsers can be considered dormant malware.

Major browser vendors appear poised to incorporate AI (with or without proxy capabilities) into future generations of their platforms, so careful monitoring of each release must be done to ensure security oversight.

(Image source: “Unexploded Bomb!” by Hugh Lillylin licensed under CC BY-SA 2.0.)

Want to learn more about AI and Big Data from industry leaders? Payment Artificial Intelligence and Big Data Exhibition Taking place in Amsterdam, California and London. The overall event is part of Tkx The site participates with other leading technology events. Click here For more information.

Artificial Intelligence News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.

(Tags for translation)Cybersecurity

AI browsers represent a major security threat

Automation meets exposure

Implementation and governance challenges

Reducing the threat

Takeaway for the decision maker

lasted

Databricks’ research reveals that building better AI-driven judges is not just a technical concern, it is a people issue

Why the for-profit race toward solar geoengineering is bad for science and public trust

Rivian has created another subsidiary called Mind Robotics

Generations in Dialogue: Bridging Perspectives in Artificial Intelligence – A new podcast from AAAI

This week’s cool tech stories from around the web (through November 1)

It doesn’t have to be a Chatbot

WhatsApp launches a companion app for Apple Watch, allowing users to get call notifications, read full messages, record and send voice messages.(Aisha Malik/TechCrunch)

I Quit My $120K Job Building Flutter Apps — Here’s What No One Told You About Starting On Your Own | By Seung-chul Jeff Ha | November 2025

Frustrating AI. When reducing the size of artificial intelligence | By Matt Drabek | November 2025

13 essential foods that will boost your kidney health this winter

Automation meets exposure

Implementation and governance challenges

Reducing the threat

Takeaway for the decision maker

Related Posts

lasted