Artificial intelligence (AI) browsers are vulnerable to “prompt injection,” a method where malicious instructions are embedded in web content to trick the AI into performing unauthorized actions. This is especially dangerous with “agentic browsers,” which automate complex tasks and could be manipulated to steal sensitive data or make unauthorized purchases.
AI browsers are rapidly gaining traction for their ability to assist users by summarizing articles, answering questions, and more. This rise in popularity, however, has brought a new security threat to the forefront: prompt injection. Unlike traditional hacking that relies on code vulnerabilities, prompt injection exploits the very language that large language models (LLMs) are built on. It’s a clever trick where attackers embed malicious instructions within seemingly harmless data, like a hidden comment on a social media site or white text on a white background on a website. These invisible commands can override the AI’s core instructions, making it perform actions it wasn’t designed to do. As users become more comfortable trusting these AI tools with sensitive data, the risks of such attacks multiply.
While a regular AI browser assists users with manual guidance, a new type of browser called an agentic browser takes automation to a new level. These browsers can execute complex, multi-step tasks with little to no user intervention. For example, a user could simply ask an agentic browser to “find and book the cheapest flight to Paris,” and the browser would handle all the research, form-filling, and payment processing on its own. While incredibly convenient, this level of autonomy significantly amplifies the danger of prompt injection. A malicious website could inject a hidden prompt that instructs the agentic browser to steal payment information or redirect funds to another account during a transaction. The user would be completely unaware that their browser is being manipulated, potentially leading to financial loss or exposure of private data.
The article highlights a specific type of prompt injection known as indirect prompt injection. This is where the malicious instructions aren’t provided directly by the user but are instead embedded in external content that the AI browser processes as part of its task. A criminal could set up a website with fake competitive pricing to lure a user, but its true purpose is to inject a malicious prompt into the agentic browser. This can be done by using text that’s invisible to the human eye, but easily readable by the AI, like white text on a white background. This kind of attack is difficult for users to detect because the malicious input is not coming from their own commands, but from the content the browser is naturally interacting with.
The vulnerability of agentic browsers, like the one Brave found in Perplexity’s Comet, highlights the critical need for robust security measures in their design. Developers must create a clear distinction between user-provided instructions and the web content the AI processes. The system must be able to understand that commands from the user are the priority and that web content is merely data to be acted upon, not a source of new instructions. Without this separation, even a simple website visit could become a security risk. Despite Perplexity’s attempts to patch the vulnerability, the issue persists, underscoring the complexity and difficulty of fully mitigating these types of language-based attacks.
Given the current vulnerabilities, it’s essential for users to practice caution when using agentic browsers. The best way to protect yourself is to limit the browser’s permissions, only granting access to sensitive information or system controls when absolutely necessary. Always verify the source of links and websites before allowing the browser to interact with them automatically. Staying informed about prompt injection risks and keeping your software updated with the latest security patches are also crucial. Lastly, avoid fully automating high-stakes transactions. For example, you should limit the amount of money your agentic browser can spend without your explicit authorization. By combining user vigilance with improved developer security, we can begin to safely navigate the powerful world of agentic browsing.
Reference:
