Major cybersecurity firms and government agencies are urging organizations to block the newest generation of AI-powered web browsers, warning that these tools introduce critical security vulnerabilities that could expose sensitive user data and corporate systems to attacks.
Research firm Gartner issued a stark warning last week advising that chief information security officers must block “all AI browsers in the foreseeable future to minimize risk exposure.” The UK’s National Cyber Security Centre reinforced these concerns, stating that there’s a good chance prompt injection “will never be properly mitigated” in large language models.
AI browsers such as Perplexity’s Comet and OpenAI’s ChatGPT Atlas incorporate artificial intelligence capabilities that allow them to navigate websites autonomously, fill out forms, and complete tasks on users’ behalf. While these features promise increased productivity, security researchers have identified fundamental flaws that make the browsers susceptible to manipulation by malicious actors. The primary vulnerability centers on prompt injection attacks, where hackers can embed hidden instructions in websites, emails, or even images that trick the AI into executing unauthorized actions.
When an AI browser processes this malicious content, it cannot distinguish between legitimate user commands and attacker-inserted instructions, potentially granting hackers access to banking accounts, corporate systems, private emails, and cloud storage. Unlike traditional web vulnerabilities that typically affect individual sites, these attacks enable cross-domain access through simple, natural language instructions embedded in websites.
Researchers at Brave Software discovered that attackers can hide prompt injection instructions in images using techniques such as faint light blue text on yellow backgrounds, making the malicious commands effectively invisible to human users. When Perplexity’s Comet browser analyzes these screenshots through optical character recognition, it extracts and executes the hidden text as if it were a legitimate user command. In demonstration attacks, researchers successfully accessed Gmail accounts and triggered unauthorized password recovery processes. Brave’s research team noted that AI-powered browsers that can “take actions on your behalf are powerful yet extremely risky.”
Anthropic, the company behind the Claude AI model, conducted extensive adversarial testing of its Chrome browser extension and found concerning results. In testing 123 attack scenarios representing 29 different attack types, Anthropic found that browser use without safety “mitigations showed a 23.6% attack success rate when deliberately targeted by malicious actors.” One successful attack involved a malicious email that instructed the AI to delete all emails in the user’s inbox for security reasons, which the system executed without seeking confirmation.
Even after implementing multiple layers of protection including improved system prompts, blocking access to high-risk website categories, and deploying advanced classifiers to detect suspicious instruction patterns, Anthropic reduced the attack success rate only to 11.2 percent. This represents a meaningful improvement over their existing Computer Use capability, yet still leaves a significant vulnerability window that security experts find concerning.
Evgeny Mirolyubov, senior director analyst at Gartner, warned that the loss of sensitive data “to AI services can be irreversible and untraceable. Organizations may never recover lost data.” The warning comes as AI browsers gain traction in enterprise environments, with cybersecurity firm Cyberhaven reporting that 27.7 percent of organizations already have at least one user with ChatGPT Atlas installed, and some enterprises seeing up to 10 percent of employees actively using the browser.
The UK’s National Cyber Security Centre explained that large language models fundamentally cannot distinguish between trusted instructions and untrusted content, making the problem inherent to the technology rather than a flaw that can be easily patched. Unlike traditional SQL injection vulnerabilities that can be mitigated through parameterized queries and established security practices, prompt injection represents a systemic challenge that current defenses can only partially address within a wider risk management strategy.
AI browsers send sensitive user data including active web content, browsing history, and open tabs to cloud-based AI services for processing. Gartner analysts observed in their advisory that default AI browser settings prioritize user experience over security, creating additional risks for organizations that have not implemented strict centralized management of security settings. Sensitive user data such as active web content, browsing history, and open tabs is often sent to cloud-based AI backends, increasing the risk of data exposure unless security and privacy settings are deliberately hardened and centrally managed.
Security vulnerabilities extend beyond prompt injection attacks. Researchers discovered that ChatGPT Atlas stores OAuth tokens unencrypted with overly permissive file settings on macOS, potentially allowing unauthorized access to user accounts. The vulnerability was documented by security research group Teamwin on October 27, 2025. Separately, cybersecurity firm LayerX Security identified a vulnerability in Perplexity’s Comet browser called CometJacking that could potentially exfiltrate user data to attacker-controlled servers.
For organizations considering AI browser deployment, Gartner recommends conducting thorough risk assessments of the backend AI services powering these browsers. Organizations with low risk tolerance should block AI browser installations entirely through network and endpoint security controls. Those with higher risk tolerance may experiment with tightly controlled, low-risk automation use cases, but must ensure robust guardrails and minimal sensitive data exposure. The analysts warn that mitigating AI browser risks will require years, not months, to fully understand potential threats, and that the ability to fully eliminate all risks is unlikely regardless of the time frame.
Individual users face similar risks when using AI browsers with personal accounts. Cybersecurity experts advise users to employ unique passwords, enable multi-factor authentication, and carefully limit the access granted to AI browser agents to protect their sensitive information.