Are Ai Browsers Worth The Security Risk? Why Experts Are Worried

S and V Design / iStock / Getty Images Plus

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• AI browsers are powerful, but not needfully secure.
• Experts pass of rising punctual injection and information theft risks.
• Use AI browsers cautiously and protect your data.

This twelvemonth has surely been nan twelvemonth for artificial intelligence (AI) development.

With nan abrupt motorboat of OpenAI's ChatGPT, businesses worldwide scrambled to instrumentality nan chatbot and its associated applications into their workflows; academics abruptly had to statesman checking student submissions for AI plagiarism; and AI models appeared for everything from image and euphony procreation to erotica.

Also: Is OpenAI's Atlas browser nan Chrome slayer we've been waiting for? Try it for yourself

Billions of dollars person been poured into not only AI-powered chatbots, but besides ample connection models (LLMs) and niche applications. AI agents and browsers are now nan adjacent evolution.

OpenAI's Atlas makes its debut

Announced on Tuesday, OpenAI* has released ChatGPT Atlas, described arsenic "the browser pinch ChatGPT built in."

But nether nan hood, it's acold much than that. Joining nan likes of Perplexity's Comet, Dia, and Gemini-enabled Google Chrome, Atlas is disposable connected Mac to statesman with, pinch updates already promised to refine nan caller browser.

The OpenAI squad has described Atlas arsenic an AI browser built astir ChatGPT. The chatbot integrates pinch each hunt query you taxable and immoderate unfastened tabs and tin usage their contented and information to reply queries aliases execute tasks.

Also: Perplexity will springiness you $20 for each friend you mention to Comet - really to get your cash

Based connected early testing, specified arsenic erstwhile ZDNET editor Elyse Betters Picaro tasked Atlas pinch ordering groceries connected her behalf from Walmart, nan browser has promise. Uses see online ordering, email editing, speech summarization, wide queries, and moreover analyzing GitHub repos.

"With Atlas, ChatGPT tin travel pinch you anyplace crossed nan web, helping you successful nan model correct wherever you are, knowing what you're trying to do, and completing tasks for you, each without copying and pasting aliases leaving nan page," OpenAI says. "Your ChatGPT representation is built in, truthful conversations tin tie connected past chats and specifications to thief you get caller things done."

However, Atlas -- alongside different AI-based browsers -- raises information and privateness questions that request to beryllium answered.

(Disclosure: Ziff Davis, ZDNET's genitor company, revenge an April 2025 suit against OpenAI, alleging it infringed Ziff Davis copyrights successful training and operating its AI systems.)

Prompt injections

Prompt injections person go an area of existent interest to cybersecurity experts. A prompt injection attack occurs erstwhile a threat character manipulates an LLM into acting successful a harmful way. An onslaught designed to bargain personification information could beryllium disguised arsenic a genuine punctual that ignores existing information measures and overrides developer instructions.

There are 2 types of punctual injection: a nonstop injection based connected personification input aliases an indirect hijack made done payloads hidden successful content that an LLM scrapes, specified arsenic connected a web page.

Brave researchers antecedently disclosed indirect punctual injection issues in Comet, and pursuing connected from this research, person discovered and disclosed new punctual injection attacks not only successful Comet but besides successful Fellou.

Also: Free AI-powered Dia browser now disposable to each Mac users - Windows users tin subordinate a waitlist

"Agentic browser assistants tin beryllium prompt-injected by untrusted webpage content, rendering protections specified arsenic nan same-origin argumentation irrelevant because nan adjunct executes pinch nan user's authenticated privileges," Brave commented. "This lets elemental natural-language instructions connected websites (or moreover conscionable a Reddit comment) trigger cross-domain actions that scope banks, healthcare supplier sites, firm systems, email hosts, and unreality storage."

Expert developer and co-creator of nan Django Web Framework, Simon Willison, has been intimately pursuing movements successful nan AI browser world and remains "deeply skeptical" of nan agentic and AI agent-based browser assemblage arsenic a whole, noting that erstwhile you let a browser to return actions connected your behalf, moreover asking for a basal summary of a Reddit station could perchance lead to information exfiltration.

ZDNET asked OpenAI astir nan information measures implemented to forestall punctual injection and whether further improvements are successful nan pipeline. The squad referred america to nan help center, which outlines really users tin group up granular controls, and to an X post penned by Dane Stuckey, OpenAI's main accusation information officer.

Stuckey says that OpenAI has "prioritized accelerated consequence systems to thief america quickly place [and] artifact onslaught campaigns arsenic we go alert of them," and nan institution is investing "heavily" successful information measures to forestall punctual injection attacks.

Sensitive information handling

Another important information rumor is trust, and whether aliases not you let a browser -- and LLM -- to entree and grip your individual data.

To let an AI browser to execute circumstantial tasks for you, you whitethorn beryllium required to let nan browser entree to relationship data, keychains, and credentials.

According to Stuckey, Atlas has an optional "logged-out mode" that does not springiness ChatGPT entree to your credentials, and if an supplier is moving connected a delicate website, "Watch mode" requires users to support nan tab unfastened to show nan supplier astatine work.

"[The] supplier will region if you move distant from nan tab pinch delicate information," nan executive says. "This ensures you enactment alert -- and successful power -- of what actions nan supplier is performing."

Also: This caller Google Gemini exemplary scrolls nan net conscionable for illustration you do - really it works

It's an absorbing idea, and possibly nan logged-out mode should beryllium enabled by default. We are yet to spot if this accusation and entree tin beryllium safely handled, however, by immoderate AI browser successful nan agelong term.

It's besides worthy noting that successful a caller report released by Aikido, successful a study of 450 CISOs, information engineers, and developers crossed Europe and nan US, 4 retired of 5 responsive companies said they had knowledgeable a cybersecurity incident tied to AI code. Powerful, new, and shiny tech doesn't ever mean secure.

Alex Lisle, nan CTO of Reality Defender, told ZDNET that to spot nan sum full of your browsing history and everything aft to a browser "is a fool's errand."

"Not a week goes by without a caller flaw aliases utilization connected these browsers en masse, and while major/mainstream browsers are perpetually hacked, they're patched and amended maintained than nan patchwork that is nan existent AI browser ecosystem," Lisle added.

Surveillance

Another emerging rumor is surveillance. While we urge you usage a secure browser for your hunt queries truthful your activities aren't logged aliases tracked, AI browsers, by design, adhd discourse to your hunt queries done follow-up questions, web page sojourn logs and analysis, prompts, and more.

Eamonn Maguire, head of engineering, AI and ML, astatine Proton, commented:

"Search has ever been surveillance. AI browsers person simply made it personal. [...] Users now stock nan kinds of specifications they'd ne'er type into a hunt box, from wellness worries and finances to relationships and business plans. This isn't conscionable much data; it's coherent, communicative information that reveals who you are, really you think, and what you'll do next."

Also: Opera agentic browser Neon starts rolling retired to users - really to subordinate nan waitlist

Calling nan convergence of search, browsing, and automation an "unprecedented" level of penetration into personification behavior, Maguire added that "unless transparency catches up pinch capability, AI browsing risks becoming surveillance capitalism's astir friendly shape yet."

"The solution is not to cull innovation, but to rethink it. AI assistance doesn't person to travel astatine nan disbursal of privacy. We request clear answers to cardinal questions: really agelong is information stored, who has entree to it, and tin aggregated activity still train models? Until there's existent transparency and control, users should dainty AI browsers arsenic imaginable surveillance devices first and productivity immunodeficiency second."

Should I usage an AI browser?

As noted by Willison, successful exertion security, "99% is simply a failing grade," arsenic "if there's a measurement to get past nan guardrails, nary matter really obscure, a motivated adversarial attacker is going to fig that out."

There are galore "what ifs" surrounding AI browser usage correct now, and for immoderate information and programming experts for illustration Willison, they won't spot them until "a bunch of information researchers person fixed them a very thorough beating."

Who knows -- possibly zero-day punctual injection fixes will go a standalone class successful monthly spot cycles successful nan future.

Speaking to ZDNET, Brian Grinstead, elder main technologist astatine Mozilla, said that nan "fundamental information problem for nan existent harvest of agentic browsers is that moreover nan champion LLMs coming do not person nan expertise to abstracted trusted contented coming from nan personification and untrusted contented coming from web pages."

Also: I usage Edge arsenic my default browser - but its caller AI mode is unreliable and annoying

"Recent agentic browsing merchandise launches person reported punctual injection onslaught occurrence rates successful nan debased double digits, which would beryllium considered catastrophic successful immoderate accepted browser feature," nan executive commented. "We wouldn't merchandise a caller JavaScript API that fto a web page return power of nan browser 10% of nan time, moreover if nan page asked politely."

Grinstead recommends that if you want to cheque retired an AI browser, you should debar giving it entree to your backstage information and debar loading immoderate untrusted contented -- and not conscionable connected suspicious aliases unsecure websites, but pinch nan constituent successful mind that untrusted information tin look connected different trustworthy websites, specified arsenic merchandise reviews aliases Reddit posts.

In addition, nan executive recommends that you reappraisal information settings, including what information immoderate browser sends from your device, what it's utilized for, and whether it's stored.

Whether you take to usage an AI browser is up to you, though nan stakes are precocious if you intend to let new, comparatively untested browsers entree to your delicate information.

Want much stories astir AI? Check retired AI Leaderboard, our play newsletter.