AI Browsers: Broken Promises and Real Risks
A University of Washington study reveals critical security flaws in agentic browsers like ChatGPT Atlas and Perplexity Comet
July 7, 2026 · 4 min read

TL;DR: AI browsers like ChatGPT Atlas and Perplexity Comet have serious security flaws that allow prompt injection attacks, according to a University of Washington study. Four out of seven analyzed browsers showed critical vulnerabilities, compromising user security.
The Dream of the Super Assistant Fades
OpenAI called it "a true super assistant" when introducing ChatGPT Atlas; Perplexity described Comet as "the browser that works for you"; and Google integrated Gemini into Chrome under the banner of a "new era of browsing." The promise was clear: delegate web navigation to AI, from summarizing pages to completing complex tasks across tabs. However, a year later, these tools have not only failed to transform our digital experience but have also opened a new front of vulnerabilities.
A University of Washington study, presented at the Agents in the Wild workshop and released on June 30, analyzed seven popular agentic browsers to evaluate their compliance with the Same-Origin Policy, a basic protection of the modern web. The results were alarming: four of them presented relevant risk pathways, and the researchers successfully executed a full proof-of-concept on ChatGPT Atlas in Agent Mode.
What Is an AI Browser and How Does It Work?
A traditional browser displays pages and waits for our decisions. We open a service, copy a piece of data, paste it into another site, compare options, or fill out forms. Each step depends on us. Agentic browsers change that logic: they incorporate systems capable of interpreting what appears on the screen and advancing within the browser itself. It's no longer just about summarizing a page, but about coordinating tasks across tabs, operating on open pages, and completing actions that were previously left to the user.
This ability to act on behalf of the user is what makes them powerful, but also dangerous. By delegating, the user loses granular control over each action, and the agent can be manipulated by malicious content.
The Risk of Prompt Injection
The University of Washington study identified prompt injection as the main threat, a technique in which external content alters the model's behavior through hidden commands. In a chatbot, this is already problematic; in a browser that can execute actions across multiple sites, the consequences can be catastrophic. The researchers demonstrated that by manipulating the content of a web page, an attacker could get the AI browser to perform unauthorized actions, such as sending user data to an external server or modifying security settings.
The root of the problem is that these browsers break the traditional security model based on origin. By allowing an agent to cross tabs and sites, the protection offered by the Same-Origin Policy is diluted, and the agent can be tricked into acting on behalf of the user without their explicit consent.
Which Browsers Are at Risk?
The study analyzed seven agentic browsers, including ChatGPT Atlas (OpenAI), Perplexity Comet, and Gemini capabilities in Chrome. Although the report does not detail all names for responsible disclosure, it did confirm that four of them had critical vulnerabilities. The researchers successfully exploited a proof-of-concept on ChatGPT Atlas in its agent mode, underscoring the severity of the problem.
OpenAI and Perplexity have been contacted for comment but have not yet responded. Google, for its part, has indicated that Gemini features in Chrome are designed with safeguards, but the study suggests these may be insufficient.
Implications for Users and Businesses
For users, the risk is concrete: by using an AI browser, they are ceding control of their web actions to a system that can be manipulated. This can lead to data theft, identity theft, or unwanted actions on banking services, social networks, or email.
For businesses, adopting these browsers in corporate environments could expose sensitive data to attacks. If an employee uses an agentic browser for tasks like email management or database updates, an attacker could exploit a vulnerability to access internal systems.
Furthermore, the study questions the maturity of these tools. If they cannot guarantee basic security, their mass adoption is premature. Companies investing in AI agent development must prioritize security before launching products to market.
The Future of AI Browsers
The University of Washington report is not a final condemnation but a wake-up call. AI browsers have potential, but they need a deep rethinking of their security architecture. In the meantime, users should be cautious: do not delegate critical tasks to these systems and keep their traditional browsers updated.
The industry must learn from these findings. The pressure to launch innovative products cannot override security. As the study notes, "the promise of agentic browsers is tempting, but the current risks are too high to ignore."
Conclusion
AI browsers have arrived, but they have not fulfilled their promise to revolutionize browsing. Instead, they have introduced vulnerabilities that threaten user security. The University of Washington study is a reminder that innovation must go hand in hand with security. Until these issues are resolved, caution is the best ally.