Brave Exposes Critical AI Browser Security Flaws

The Brave browser team has uncovered critical security flaws in several popular AI-powered browsers, revealing how malicious websites can hijack AI assistants to access sensitive user accounts and data. These vulnerabilities impact applications like Perplexity Comet and Fellou, along with potentially other browsers where AI agents are designed to perform actions on a user’s behalf. The core issue involves indirect prompt injection attacks, where harmful instructions are concealed within a webpage’s content. When the AI processes this content, it mistakenly treats the hidden commands as legitimate user requests. Brave shared these findings publicly after first notifying the affected companies.

In the case of Perplexity Comet, researchers identified a weakness in its screenshot functionality. Websites can embed nearly invisible text, using colors that are barely perceptible to the human eye, which the AI extracts using optical character recognition. This extracted text is then executed as a command, allowing attackers to issue instructions without the user ever realizing it. Because Comet is not open-source, Brave’s team inferred this behavior rather than confirming it through source code analysis.

Fellou’s vulnerability involves its navigation system. When a user directs the AI assistant to visit a webpage, the browser automatically sends the visible page content to its AI system. This design enables the webpage’s text to override the user’s original intent, potentially triggering unintended AI actions. A user could visit a harmful site and inadvertently cause their AI assistant to perform unauthorized tasks, all without any direct interaction with the assistant itself.

The danger escalates significantly because AI assistants operate with the user’s full authentication privileges. A compromised AI browser could access banking portals, email accounts, corporate networks, and cloud storage where the user remains logged in. Brave emphasized that even a routine action like summarizing a Reddit post could lead to financial theft or data exposure if the post contains hidden malicious instructions.

Brave characterizes indirect prompt injection as a systemic issue for AI browsers, not just a problem for a few specific applications. The fundamental challenge lies in AI systems failing to maintain a clear distinction between trusted user input and untrusted content sourced from webpages. The company is holding back details on an additional vulnerability discovered in another browser, with plans to disclose that information next week.

These findings underscore a broader concern: traditional web security models are inadequate when AI agents act autonomously on a user’s behalf. Natural language instructions embedded in any webpage can initiate cross-domain actions, reaching sensitive services like banks, healthcare systems, and corporate platforms. Protections like the same-origin policy become ineffective because the AI assistant executes commands across all sites where the user is authenticated.

The disclosure coincides with OpenAI’s launch of ChatGPT Atlas, which includes agent mode capabilities, highlighting the ongoing tension between advanced AI functionality and robust security. Users of AI browsers with agent features now face a clear trade-off between the convenience of automation and their exposure to these systemic vulnerabilities.

Brave’s security research is ongoing, with additional findings expected to be released shortly. The company is also investigating longer-term solutions to address the underlying trust boundary problems inherent in agentic browsing.

(Source: Search Engine Journal)