AI Browsers Create New Attack Surface for Prompt Injection

The browser has become ground zero for a new class of attacks. As AI copilots integrate deeper into Chrome, Edge, and specialized agentic browsers, security researchers are documenting a systemic vulnerability that vendors admit may never be fully eliminated: prompt injection.

The 2026 State of Browser Security Report from Keep Aware frames the problem bluntly. AI-integrated browsers process user instructions alongside untrusted web content in a single input stream. The AI cannot reliably distinguish between the two. That design flaw creates an exploitation surface that attackers have already begun targeting in the wild.

Agentic Browsers Are the New Target

Browsers like Perplexity's Comet and Opera's Neon aren't just rendering web pages—they're acting on them. These agentic copilots can navigate websites, fill forms, extract data, and execute multi-step workflows autonomously. That capability is precisely what makes them dangerous when compromised.

When users ask an AI browser to summarize a webpage, the browser feeds that page's content directly to its language model. If the page contains hidden instructions—white text, HTML comments, or even Reddit spoiler tags—the AI treats them as user commands. The attacker's webpage becomes the payload.

This isn't theoretical. In August 2025, Brave's security team documented an indirect prompt injection attack against Perplexity's Comet. Hidden instructions embedded in a Reddit post extracted a user's email address and one-time passcode from their Gmail inbox. The attack exploited a domain spoofing technique where a trailing dot created a different domain—perplexity.ai. versus perplexity.ai—to bypass authentication checks.

Zenity Labs identified additional flaws they dubbed "PleaseFix" affecting AI-powered browsers. Their proof-of-concept demonstrated attackers embedding malicious instructions in calendar invitations. When users accepted the invite, the AI browser could be manipulated to browse local directories, read files, and exfiltrate data to external servers. Perplexity patched Comet in February 2026, but the underlying architecture remains vulnerable to future variants.

Chrome's Gemini Panel Opened a Backdoor

Google's integration of Gemini into Chrome introduced its own security gap. CVE-2026-0628, discovered by Palo Alto Networks' Unit 42, allowed malicious extensions with basic permissions to hijack the Gemini panel entirely.

The vulnerability exploited Chrome's declarativeNetRequests API, which legitimately allows extensions to intercept HTTPS requests. Attackers could inject JavaScript into the Gemini panel when loaded as a browser component—distinct from the same application running in a normal tab. An extension influencing a website is expected behavior. An extension influencing a component baked into the browser represents a serious escalation.

Once compromised, the Gemini panel granted attackers access to the camera and microphone without user consent, local files and operating system directories, screenshot functionality across HTTPS websites, and the ability to conduct phishing attacks through a trusted interface. Google patched the vulnerability in January 2026 after responsible disclosure in October 2025.

The Extension Problem Keeps Growing

Browser extensions remain a primary attack vector, and AI capabilities make them more dangerous. We've covered how Chrome extensions stole ChatGPT conversations from 900,000 users by masquerading as AI productivity tools. The extensions transmitted harvested data every 30 minutes, capturing source code, business strategies, and personal information users shared with AI chatbots.

Microsoft's Security Research Team documented a separate campaign reaching nearly 900,000 installs across 20,000 enterprise tenants. The malicious extensions harvested LLM chat histories from ChatGPT and DeepSeek, leveraging the trust users place in browser add-ons.

The Urban VPN data harvesting scandal demonstrated how extensions with millions of users and Google's "Featured" badge can secretly intercept conversations with ChatGPT, Claude, Copilot, Gemini, and other major platforms. The extensions remain available despite public disclosure.

Why Traditional Defenses Fail

Phishing (29%), malicious browser extensions (19%), and social engineering (17%) remain the primary browser-based attack vectors according to the Keep Aware report. But AI introduces new blind spots that traditional security tools weren't designed to detect.

The core issue is architectural. Language models combine trusted instructions with untrusted content into a single processing stream. Every capability an AI system has—rendering content, fetching images, following links, accessing files—becomes a potential exploitation vector when the model cannot distinguish authorized from malicious input.

The situation parallels challenges we've seen with ChatGPT's web summaries becoming phishing delivery mechanisms. Users aren't clicking suspicious links or downloading unknown files. They're using AI tools exactly as intended. The payload arrives wrapped in the AI's trusted response format.

What Organizations Can Do

Brave's research team proposed four defensive layers worth considering:

Separation of contexts: Browsers should clearly separate user instructions from website content when sending them to backend models. The two streams should never merge without explicit demarcation.

Output validation: Model actions should undergo independent alignment checks against actual user requests before execution. If the AI attempts something the user didn't ask for, block it.

Mandatory confirmation: Security-sensitive actions—file access, credential use, data transmission—should require explicit user interaction before proceeding.

Mode isolation: Agentic browsing should be segregated from casual browsing with clear visual indicators. Users should know when they're in a mode where the browser can act autonomously.

For enterprises, the Keep Aware report recommends gaining visibility into how data, users, and AI agents interact within browser sessions. Most organizations lack adequate monitoring of AI-assisted activities occurring within their networks.

The Uncomfortable Truth

OpenAI has acknowledged that prompt injection vulnerabilities are unlikely to be completely eliminated in agentic systems. Mitigation through safeguards and adversarial testing remains possible, but the fundamental tension between AI capability and AI safety persists.

The 2026 browser security landscape reflects this reality. AI tools unlock genuine productivity gains, but they simultaneously introduce exploitation surfaces that attackers are actively probing. Organizations adopting AI-powered browsers should treat them as high-risk endpoints requiring additional oversight—not as more capable versions of the browsers they replaced.

For defenders following the broader AI security space, our resources on cybersecurity tools cover monitoring solutions designed for these emerging threat vectors.