Home AI AI browsers can book your holiday—but they may also put your personal...

AI browsers can book your holiday—but they may also put your personal data at risk

Attack concept in which a malicious website leverages a prompt injection and a browser agent's cross-origin access to circumvent the same-origin policy and steal cross-origin data. Credit: University of Washington.

Artificial intelligence is changing the way people browse the internet.

New AI-powered web browsers can do much more than search for information.

They can plan holidays, compare prices, book restaurants, fill in online forms, and even add events to your calendar.

While these tools are impressive, new research suggests they may also create serious cybersecurity risks.

Researchers at the University of Washington recently tested seven popular AI browsers. They found that four of them could expose users to attacks that are normally blocked by modern web security.

The researchers say these browsers are powerful, but they may not yet be safe enough to fully protect people’s private information.

One of the biggest concerns involves a security rule called the “same-origin policy.” This rule has protected internet users for about 30 years. It keeps different websites from reading or sharing each other’s information.

For example, if you are logged into your online bank in one browser tab, a different website should not be able to see your banking details. This important protection has made web browsing much safer over the years.

The researchers found that some AI browsers weaken this protection because the AI agent is allowed to move between different websites while carrying out tasks for the user. That extra access can create new opportunities for cybercriminals.

To demonstrate the risk, the team carried out a successful test attack on one browser called ChatGPT Atlas. They showed that a malicious website could steal information from another website displayed inside the same page.

It is similar to an advertisement on an email website secretly reading information from your inbox. The researchers also found similar weaknesses in Chrome with Gemini, Claude for Chrome, and Perplexity Comet.

Another concern is something called “prompt injection.” This happens when a malicious website secretly hides instructions for the AI agent. The user cannot see these hidden messages, but the AI may follow them.

For example, the AI might be asked to summarise a webpage, but hidden instructions could tell it to copy private information and send it to a fake website instead.

The researchers also warned about “memory poisoning.” AI agents often remember information from previous tasks to improve future performance. If harmful instructions become mixed into that memory, the AI could accidentally reveal private information later, even after leaving the original website.

The researchers shared their findings with the companies behind the browsers. Some companies discussed the problems with the research team, while others did not accept the report. So far, there is no simple solution that keeps all of the AI features while also maintaining the highest level of security.

The researchers believe AI browsers have exciting potential, but they say the technology still needs more work before people should fully trust it with sensitive information such as emails, bank accounts, or personal records.

Until stronger protections are developed, users should be cautious about giving AI agents access to their most private online accounts.