AI browsers cybersecurity experts are sounding the alarm. The tools meant to make the internet smarter may be creating one of the most fragile digital frontiers yet.
OpenAI and Microsoft have both introduced AI browsers that can think, read, and act. ChatGPT Atlas and Copilot Mode are part of a race to blend search, memory, and automation inside the browser itself. The pitch sounds convenient. But cybersecurity researchers warn it might also be catastrophic.
A new Verge report by Robert Hart reveals just how deep the risks go. Vulnerabilities in OpenAI’s Atlas and Perplexity’s Comet already allow attackers to inject hidden instructions into a browser’s memory. Once triggered, those commands can steal data, execute malicious code, or quietly share information you never meant to give away. The term prompt injection has already become a staple in cybersecurity discussions, and the AI browsers cybersecurity landscape is changing faster than security standards can keep up.
Professor Hamed Haddadi of Imperial College London described the problem simply: “The attack surface has never been wider.” Each time the browser learns, it also remembers, storing more of what users read, type, and click. This creates enormous potential for tracking and profiling. The AI browsers cybersecurity problem is not just about bad actors. It is about the system itself becoming too curious.
UC Davis researcher Yash Vekaria says these browsers know more about you than traditional ones ever could. Every click and conversation feeds a growing behavioral map that can be exploited by advertisers and hackers alike. With stored payment data, logins, and search histories, a single compromised session could reveal more than a user realizes.
The market rush is another key factor. Lukasz Olejnik, a cybersecurity researcher at King’s College London, compares this moment to the early days of mobile apps, when convenience outpaced security. “Expect risky vulnerabilities to emerge,” he said. The AI browsers cybersecurity problem is not theoretical. It is historical. We have seen this cycle before with extensions, macros, and permissions. The tools evolve faster than our ability to defend against them.
The threat grows sharper when browsers begin acting on their own. Agentic features let the browser make decisions, click links, and submit forms automatically. That means attackers can trick it into sharing data or performing actions without the user’s knowledge. Prompt injections can even hide inside images or code snippets, invisible to the naked eye.
The only reliable defense, experts say, is to slow down. Professor Shujun Li of the University of Kent advises users to disable automated features unless absolutely necessary. “Browsers should start in an AI-free mode,” he says. The best cybersecurity sometimes begins with saying no.
Convenience is always the lure. But each shortcut we take online erodes one more layer of human awareness. The AI browsers cybersecurity problem is not just about code. It is about trust. We have built machines that are learning how we think. Now we need to make sure we still think for ourselves.
Read the original report by Robert Hart at The Verge.
For more Laterstack analysis, explore the Information Sharing Act and AI’s energy gap issues.