Thanks for Stopping By!

Agentic browsers like Comet and Atlas are changing how we browse on line and also introducing new attack surfaces. The same early security issues that plagued past innovations like browsers, operating systems, and email are now resurfacing with the new AI supported browsers are launching before we understand whether they’ve undergone stringent security reviews, code reviews or threat assessments. It seems they’ve been released and are allowing other security researchers to identify the weaknesses and mitigate the risk of the vulnerability.

AI agents with browser control can amplify productivity or be turned into automated exploitation tools. If security isn’t built into these systems now, we’ll repeat the mistakes of firewalls, Web 2.0, and cloud infrastructure, only faster, at AI speeds.

It’s time to treat agentic browser security as a foundational requirement, not an afterthought.

Agentic browsers like Comet and Atlas are facing critical security scrutiny for introducing new, and in some cases severe, vulnerabilities tied to their autonomous, AI-driven design. Researchers have already demonstrated prompt injection and “CometJacking” attacks, in which weaponized links or hidden commands can hijack the AI agent to exfiltrate sensitive data such as emails, calendar info, and authentication codes, exploiting the browser’s privileged session access for the user.

Here is a breakdown of the current technical vulnerabilities

Prompt Injection: Prompt injection has been a concern with SQL and with Generative AI since November 2022, when ChatGPT3 was released. Both Comet and Atlas can be tricked into executing malicious instructions hidden within web content or URLs. Attackers can embed hidden prompts in a page, within screenshot data, or in buttons, causing the browser’s AI agent to leak private data or perform unauthorized actions, often without user awareness.

CometJacking: For Comet, researchers showed that a single malicious URL could direct the agent to pull sensitive memory data, encode it, and send it to an attacker-controlled server with no further user interaction required. Because agentic browsers operate with the user’s privileges, this can mean deep access to authenticated emails, calendars, and even enterprise data.

Clipboard Injection (Atlas): Atlas is already vulnerable to clipboard injection, where the AI agent can unknowingly overwrite the clipboard with a malicious link from a compromised site, which the user may later paste, leading to credential or MFA theft.

Automation Exploits: Attackers are designing web pages that trigger agents to make purchases, transfer data, or submit sensitive forms, which is an automation risk not present in traditional browsers.

Session & Memory Leakage: The persistence of memory across tabs and sessions in agentic browsers means that a compromise in one workflow can lead to data exposure in others, broadening the blast radius of any intrusion.

Plugin/Supply Chain Risks: Integration of external APIs and plugins amplifies the attack surface, enabling cascading compromises if a single plugin is malicious or compromised. It’s crucial to consider that plugin’s are like the former toolbars and extensions that third parties provide to elevate the browser experience. Like lessons learned from years ago, only use them if needed and sparingly as they are another attack vector and way into your browser!

Despite these findings, security validation and risk mitigation remain inconsistent. Multiple researchers and vendors have noted a disconnect between product launches and comprehensive, code-level security reviews, echoing the mistakes made in previous software waves where usability and innovation outpaced foundational security.

AI-powered agentic browsers represent a seismic shift in user empowerment, and for attackers as much as users. Security-by-design must catch up, or the cycle of post-hoc patching and data breaches will repeat itself at AI speed.

References:

1. Gadgets360. Perplexity’s Comet AI Browser Is Vulnerable to Prompt Injections, Says Brave. Published October 21, 2025.
2. Retrieved from: https://www.gadgets360.com/ai/news/perplexity-comet-ai-browser-vulnerable-to-prompt-injections-hacking-brave-browser-study-9497570
3. Fortune. Experts warn OpenAI’s ChatGPT Atlas has security flaws that could turn it against users—stealing sensitive data, downloading malware, or worse. Published October 23, 2025.
4. Retrieved from: https://fortune.com/2025/10/23/cybersecurity-vulnerabilities-openai-chatgpt-atlas-ai-browser-leak-user-data-malware-prompt-injection/
5. The Hacker News. CometJacking: One Click Can Turn Perplexity’s Comet AI Browser Into a Data Thief. Published October 5, 2025.
6. LayerX Security Blog. CometJacking: How One Click Can Turn Perplexity’s Comet AI Browser Against You.Published October 21, 2025.
7. Tuta Blog. Think Twice Before Using Comet Browser: Security & Privacy Risks. Published September 30, 2025.
8. The Register. OpenAI Defends Atlas as Prompt Injection Attacks Surface. Published October 21, 2025.
9. TechRadar Pro. OpenAI’s New Atlas Browser May Have Extremely Concerning Security Issues, Experts Warn.Published October 23, 2025.
10. Seraphic Security. The Rise of Agentic Browsers: A New Frontier in Browser Security. Published October 21, 2025.
11. Brave Security Blog. Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet. Published August 19, 2025.
12. Proton.me Blog. Is ChatGPT Atlas Safe? What You Should Know Before You Download It. Published October 21, 2025.