AI Browsers Under Attack: Data at RISK

December 6, 2025

Cyberattack,And,Internet,Crime,,Hacking,And,Malware,Concepts.,Digital,Binary

A dangerous new category of cyberattacks is exploiting AI-powered browsers to steal sensitive corporate data and install malware, bypassing traditional security controls that protect American businesses.

Story Overview

AI browsers like OpenAI’s Atlas and Perplexity’s Comet contain critical vulnerabilities allowing data theft and malware installation
77% of employees paste sensitive data into AI tools, with 82% using unmanaged personal accounts outside IT oversight
Traditional enterprise security tools cannot detect or prevent these browser-based attacks
Security researchers confirm these are systemic architectural flaws, not isolated bugs

AI Browsers Create New Attack Surface

Security researchers have discovered that AI-powered browsers represent a fundamentally different threat landscape than traditional web browsers. Unlike Chrome or Firefox that serve as passive windows to the internet, AI browsers integrate large language models directly into the browsing experience. This creates an “always-on co-pilot” that processes user data in real-time, making sensitive information accessible to attackers who can manipulate the AI agents through sophisticated prompt injection techniques.

The Browser Security Report 2025 reveals the scope of this vulnerability: GenAI tools now account for 32% of all corporate-to-personal data movement, creating massive blind spots in enterprise security. Nearly half of all employees use these AI tools through unmanaged accounts, operating completely outside IT visibility and control. This represents a parallel computing environment where Data Loss Prevention, Endpoint Detection, and other security controls operate “one layer too low” to provide protection.

⚠️ OpenAI ChatGPT Atlas Browser Jailbroken to Disguise Malicious Prompt as URLs

Read more: https://t.co/uCkQ7XlYlO

OpenAI's newly launched ChatGPT Atlas browser, designed to blend AI assistance with web navigation, faces a serious security flaw that allows attackers to… pic.twitter.com/kLKelOyn0H

— Cyber Security News (@The_Cyber_News) October 26, 2025

Critical Vulnerabilities Exposed in Major AI Browsers

NeuralTrust researchers discovered that OpenAI’s Atlas browser contains a critical flaw in its Omnibox text input field. Attackers can disguise malicious instructions as URLs, causing the browser to treat the entire content as a high-trust user prompt with reduced safety checks. This vulnerability could enable attackers to access Google Drive accounts and perform mass file deletions or data theft operations without user awareness.

LayerX Security researchers demonstrated an even more alarming vulnerability in Perplexity’s Comet browser, dubbed “CometJacking.” A single weaponized URL—requiring no malicious page content—can completely hijack the browser’s AI agent. The attack proceeds through five stages: crafting a malicious URL, user clicking the link, AI engine following attacker instructions, stolen data disguised through base64 encoding, and final exfiltration to attacker-controlled servers.

Malware Installation Through AI Agent Manipulation

Kaspersky researchers successfully demonstrated that AI agents can be tricked into downloading and installing malware through social engineering techniques. In one experiment, researchers sent a fake email claiming to contain blood test results to an AI agent within Comet browser. When the agent encountered a CAPTCHA, it was prompted to complete a “special task” that resulted in downloading a malicious file onto the user’s system.

These attacks represent a paradigm shift in cybersecurity threats. Rather than exploiting code execution vulnerabilities, attackers are manipulating the natural language processing capabilities of AI agents themselves. OpenAI’s Chief Information Security Officer Dane Stuckey acknowledged that “prompt injection remains a frontier, unsolved security problem,” indicating that tech companies are struggling to address these fundamental architectural weaknesses.