AI browsers are being marketed as the next frontier in web browsing, promising to summarize articles, book travel, and even make purchases on behalf of users. However, a new study from the University of Washington has revealed that four out of seven popular AI-enhanced browsers contain serious security vulnerabilities. These flaws could allow malicious websites to access sensitive data from other open tabs, undermining a fundamental security principle that has protected users for nearly three decades.
The Same-Origin Policy: A 30-Year Security Foundation Under Threat
Since 1995, web browsers have adhered to a critical security mechanism known as the same-origin policy (SOP). This rule ensures that content from one website cannot access data from another site, preventing a malicious page from reading information like banking details, emails, or personal documents that a user might have open in a separate tab. The SOP is a core part of web security, enforced by all major browsers to isolate potentially harmful scripts.
AI browsers, however, require a broader scope of access to function effectively. To complete tasks across multiple tabs—such as booking a flight by reading confirmation emails from an inbox while checking calendar availability—these AI agents must bypass the same-origin policy. This necessary relaxation of security is exactly what attackers can exploit.
How AI Browsers Are Being Manipulated
The researchers identified two primary methods of exploitation: prompt injection and memory poisoning. In a prompt injection attack, a malicious webpage embeds hidden instructions within its content. The AI agent, designed to process and act on all visible information, unknowingly follows these instructions, which can expose private emails, passwords, or calendar entries. This type of attack does not require sophisticated coding; it simply leverages the AI’s natural language processing capabilities to trick it.
Memory poisoning is more insidious. Here, planted instructions are stored in the AI agent's long-term memory. Even after the user closes the original malicious page, the instructions remain active and can trigger later when the agent accesses other sites. The researchers successfully demonstrated a proof-of-concept attack on ChatGPT Atlas, proving that the risk is not theoretical but real. Claude for Chrome was flagged as particularly dangerous because its browser extension design allows it to inject code directly into webpages, giving attackers a direct route to manipulate the agent.
Which AI Browsers Are Safe and Which Are Vulnerable?
The study evaluated seven popular AI browsers. Those found vulnerable include:
- ChatGPT Atlas (OpenAI)
- Chrome with Gemini (Google)
- Claude for Chrome (Anthropic)
- Perplexity Comet (Perplexity AI)
On the other hand, the following browsers exhibited stronger security properties:
- Microsoft Edge with Copilot
- Brave Leo
- Firefox AI Mode (Mozilla)
Interestingly, Firefox AI Mode was also the most limited in capability, suggesting a trade-off between functionality and security. The researchers disclosed their findings to all involved companies. Responses varied: Anthropic and Firefox did not respond to inquiries. Perplexity and OpenAI declined to take action, arguing that the researchers lacked a complete end-to-end attack demonstration. Whereas Google, Microsoft, and Brave engaged constructively with the findings and are reportedly working on mitigations.
Broader Context: The Rapid Pace of AI Browsers vs. Security
This study follows a previous exploit called BioShocking, which also demonstrated how AI browsers can be manipulated through context-based attacks. The recurring theme is that AI agents, by design, trust the content they process, making them susceptible to subtle manipulation. The researchers emphasize that the more capable an AI browser, the greater the risk. As companies race to integrate large language models directly into browsing experiences, security appears to be lagging.
The same-origin policy was established precisely to prevent this kind of cross-site data leakage. By breaking it for convenience, AI browsers open a Pandora's box. For instance, a user might have a private email open in one tab and a shopping site in another. An AI agent tasked with comparing prices could inadvertently expose email contents to the shopping site if it reads both simultaneously. While this functionality is revolutionary, it also creates an attack surface that malicious actors are already learning to exploit.
The researchers recommend that users exercise caution when using AI browsers for sensitive tasks. Until robust security measures are standardized, such as stricter input validation, memory encryption, and user consent prompts for cross-tab operations, the convenience of AI browsing comes with significant trade-offs. The industry is at a crossroads: either develop secure-by-design architectures for AI agents, or risk eroding trust in one of the most promising technological advances of the decade.
Source: Digital Trends News