As the race for building the leading artificial intelligence (AI) browser intensifies, experts say they contain serious unsolved cybersecurity issues.
Last week, OpenAI introduced its AI-powered browser, Atlas, which, according to the company, “was built with ChatGPT at its core” and brings users closer to having “a true super-assistant. "
“With Atlas, ChatGPT can come with you anywhere across the web – helping you in the window right where you are, understanding what you’re trying to do, and completing tasks for you, all without copying and pasting or leaving the page,” the press release reads.
In addition, the browser memory lets ChatGPT remember context from the sites users visited and bring that context back when users need it, OpenAI said.
By releasing Atlas, OpenAI is challenging its rivals, Perplexity AI and Google, in the heated race to build AI browsers. A day later, Microsoft entered the battlefield by rolling out an enhanced “Copilot Mode” on its Edge browser.
AI browsers promise convenience by automating tasks like responding to emails, making reservations, and shopping. However, such convenience comes with a high security price.
Taking over the most sensitive accounts
Ted Miracco, CEO at mobile app security company Approov, says the danger stems from the feature that grants an AI agent the ability to take action on users’ behalf with full access to their most sensitive accounts.
A malicious actor can hijack the agent and execute commands that take over users’ email, social, financial, and business accounts.
This is a serious frontend problem that remains unsolved, so users should be extremely cautious in sharing sensitive account information with the browser.
Ted Miracco
This can be done through a prompt injection attack, which involves an attacker manipulating a large language model to alter its behavior. For example, a compromised website may prompt the autonomously acting browser to reveal the user’s passwords.
Research by Guardio Labs found that scammers could trick the Perplexity AI’s Comet browser into making purchases by auto-filling users’ credit card numbers on fake shopping sites. The browser also fell for a phishing attack by failing to recognize a fake email and proceeding to log into a fake bank website.
In August, Brave, a competing web browser company, demonstrated that Comet fell victim to a prompt injection scam by summarizing the content of a Reddit webpage with hidden instructions to reveal the user’s sensitive data by replying to a Reddit comment.
Atlas also appears to lack immunity to cyber threats, as cybersecurity experts reportedly demonstrate successful prompt injection attacks within days of release.
Curious what others think about this story? Contribute your thoughts to the debate below.
As the concerns started circulating, OpenAI’s chief information security officer, Dane Stuckey, said the company was “very thoughtfully researching and mitigating” the emerging risk of prompt injections.
“For this launch, we’ve performed extensive red-teaming, implemented novel model training techniques to reward the model for ignoring malicious instructions, implemented overlapping guardrails and safety measures, and added new systems to detect and block such attacks,” Stuckey wrote on social network X.
Yesterday we launched ChatGPT Atlas, our new web browser. In Atlas, ChatGPT agent can get things done for you. We’re excited to see how this feature makes work and day-to-day life more efficient and effective for people.
undefined DANΞ (@cryps1s) October 22, 2025
ChatGPT agent is powerful and helpful, and designed to be…
However, this didn’t reassure cybersecurity experts, who see prompt injection attacks as one of multiple risks posed by AI browsers.
Miracco says another concern is AI browsers’ memory. Because these browsers are intentionally designed to learn by storing users’ activity, any sensitive information logged into the browser might be shared across the websites users visit.
“Your personal emails might be shared with your coworkers or healthcare providers,” he says
AI browsers vs traditional browsers
Shanti Greene, an adjunct professor at Washington University in St. Louis, says conventional browsers like Chrome and Firefox typically require explicit user actions such as phishing clicks or drive-by downloads to have similar impacts.
Meanwhile, agentic autonomy shifts this from “user-driven error” to “model-driven execution,” turning routine browsing into high-stakes exposure without user intervention.
It’s going to be a bloodbath, which we could avoid by figuring out how to best secure AI before deploying it. But we will not do it. We didn’t do it in the past.
Roger Grimes
Traditional browsers are mainly threatened by malware, stolen credentials, and malicious extensions, according to Jonathan Garini, chief executive and enterprise AI strategist at fifthelement.
Meanwhile, AI browsers introduce layers of trust and transparency risk, as users often can’t verify how their data is used to train models or whether it’s anonymized.
Roger Grimes, a chief information security officer at KnowBe4, says he has no hope that the new AI paradigm will be handled securely, nor that lessons from previous mistakes made in different contexts will be learned.
He told Cybernews, “It’s going to be a bloodbath, which we could avoid by figuring out how to best secure AI before deploying it. But we will not do it. We didn’t do it in the past.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked