cvtoken.vip

How to Use AI Browsers Without Getting Hacked

Add as a preferred source on Google Credit: René Ramos/Lifehacker/The Browser Company/OpenAI/Perplexity Table of Contents For the past few day...

Add as a preferred source on Google

Credit: René Ramos/Lifehacker/The Browser Company/OpenAI/Perplexity

Table of Contents


For the past few days, I’ve been poking around every AI browser I could get my hands on. So far, I’ve performed general research tasks on Perplexity Comet and used ChatGPT Atlas to successfully navigate an Amazon checkout. I even spent some time familiarizing myself with the new Dia browser from the developers of Arc.

As I've explored these browsers, I've been mindful of the many security risks to contend with: Prompt injection, where malicious AI prompts are hidden in a website or browser extension’s HTML source code, is the most obvious threat. But there are also cases of AI agents acting without a user’s permission to access your logged-in accounts. Moreover, AI browsers can leak data between browser tabs and hand over user credentials on clever prompting without even using any malicious code. 

But despite the risks, there are legitimate ways to experiment with AI browsers without compromising your privacy. In fact, most of these browsers have optional features you can enable to both beef up your security and keep the apps from having more access than they need. If you're going to use an AI browser on your device, here's what you need to know to protect yourself.

What makes AI browsers a security risk?

A regular web browser can only open a page for you after you make the request. You still decide which sites to navigate to and what buttons to interact with. With AI browsers like Atlas or Comet, the browsers themselves scan and analyze a web page for you, summarize information, and even act autonomously to execute tasks in agent mode. These things make AI browsers very convenient for daily use, but they also expose them to new vulnerabilities, as attackers can now manipulate the browser to access your accounts and data much more easily. 

AI prompt injection is the most popular example, since bad actors simply need to hide malicious instructions within websites for it to work. Even the official OpenAI documentation warns against using Atlas with production data because of prompt injection fears. Worse still, prompt injection attacks require no compromising action on your part. Simply navigating to a web page that has these AI prompts hidden in layers of source code is all it takes. You won’t even see the malicious instructions while you’re browsing the web page, but your browser will read the invisible instructions and automatically do what it tells them without asking for verification or consent from you.

Brave’s security team used several prompt injection attacks to demonstrate issues with Perplexity Comet, which has since been termed CometJacking. In one particular case, Comet dug up its user's email address, obtained a one-time password from their inbox, and forwarded it to an attacker without anyone the wiser. All it took was a request to summarize a Reddit thread that had malicious prompts hidden in it. 

ChatGPT Atlas has also revealed similar vulnerabilities. Security researcher Johann Rehberger got the browser to switch from light mode to dark mode using a simple command hidden inside a Word document that he asked the browser to read. As LayerX explains, Atlas is also susceptible to cross-site request forgery (CSRF), where a malicious web page can send instructions to your browser as if you had typed them yourself. Moreover, AI browsers don’t use the same blocklists and heuristics as traditional ones to flag known phishing websites, so they’re more likely to let you access a scammer’s website without blocking it. LayerX says Atlas users are 90% more susceptible to these types of attacks compared to Chrome or Edge users. 

Automated checkouts carry a direct financial risk. While AI browsers are relatively new, Amazon already won a court injunction to prevent Comet from completing checkouts for users on its websites, because it’s known to bypass certain security measures put in place to prevent financial fraud.

Enable built-in browser settings for better safety

AI browsers carry too many vulnerabilities and loopholes for regular usage, but that doesn’t mean you can’t use them at all without compromising your data. There are many built-in privacy settings you can enable for extra protection, along with some general best practices for safe browsing that can be particularly useful. Before you start using an AI browser, make sure that it’s configured correctly to get rid of the biggest loopholes that attackers tend to use. Here’s what I discovered to be most effective. 

Disable data sharing so AI browsers don’t train models on your data

Almost every AI browser uses your browsing patterns and search history to train future iterations of its AI models, so it’s effectively getting better at doing things by learning from your day-to-day tasks. That means all your browsing data is being sent to the browser’s developers by default unless you specifically opt out. Luckily, browsers that train models on your data also give you the option to disable training, at least on paid plans. This is always the first feature you should turn off if you use AI Browsers.

What do you think so far?

Keep your browser from accessing your logged-in sessions

Using the Logged out version of Agent mode with ChatGPT Atlas

Using the Logged out version of Agent mode with ChatGPT Atlas Credit: OpenAI/ChatGPT

As we saw with the Comet demonstration, AI browsers can be manipulated into accessing your logged-in accounts on different websites and retrieving sensitive information through prompt injection. Depending on their level of access, they can also go into your accounts to execute certain actions without your knowledge, like sending an email or downloading a file. 

In ChatGPT Atlas, you can specifically prevent the AI from accessing your logged-in browser sessions in Agent Mode, so that it’s forced to ask for your credentials each time it needs to log into an email account or social media profile. While there’s no exact equivalent to this feature with Comet or Dia, those browsers also offer controls that let you decide how much access your agent can have. 

Turn off persistent memory unless you really need it

With standard prompt injection attacks, AI browsers read an attacker’s instructions and execute them only a single time. But there’s a more sophisticated form of prompt injection called memory poisoning. Attackers inject malicious instructions into your AI’s account-specific memory, which is retained across all your devices in each and every session. For example, an attacker could use memory poisoning to have your browser leak your most recent emails each day, instead of just the one time it reads malicious instructions. Hackers can use this tactic to compromise your data and hijack access across multiple devices where you use the same AI browser, which is even more of a threat with cross-platform browsers like Comet and Dia. 

Restrict what agents can access on sensitive sites

Restrict access to sensitive sites when using Comet

Restrict access to sensitive sites when using Comet Credit: Perplexity AI

With Atlas, hardcoded limits prevent the browser from running code, downloading files, installing extensions, or accessing your device’s file system by default. With Comet and Dia, things are kept more open-ended, though they both offer some protection from letting your agents handle sensitive financial data by default. But if you’d like to take this a step further, you can disable agent access to sensitive websites like banking and healthcare platforms, so that they can’t see anything or take actions on these sites. Doing this fully insulates you from prompt injection attacks aimed at these platforms. 

A few additional best practices for AI browser safety

Generally speaking, the less data and permissions that your agentic browser has access to, the less damage it can do during an attack. Apart from the built-in security settings described above, there are some general best practices that I like to follow whenever using a browser like Atlas, Comet, or Dia: