AI-powered browsers are designed to be intelligent and helpful, but recent security research reveals a troubling vulnerability: they can be exploited to hack users, even through the images they analyze online. On the very day OpenAI launched its ChatGPT Atlas browser, Brave Software disclosed methods for manipulating AI browsers into executing malicious commands.

Figure 1. AI Browsers Vulnerable: One Malicious Image Can Breach Security.

The vulnerability is another example of a prompt injection attack, where an attacker secretly supplies a malicious prompt to an AI chatbot—potentially instructing it to open a harmful website or access a user’s email. Brave, the company behind the privacy-focused Brave browser, has long cautioned about the risks of integrating automated AI agents into browsers. On Tuesday, it revealed a prompt injection attack that can target Perplexity’s AI-powered Comet browser when analyzing images, such as screenshots captured from the web. Figure 1 shows AI Browsers Vulnerable: One Malicious Image Can Breach Security.

Brave Software explained that their attack hides prompt-injection instructions inside images by using faint light blue text on a yellow background—making the malicious content invisible to human viewers.

When Perplexity’s Comet browser is asked to analyze such an image, it can read those concealed instructions and act on them. Brave even built a demo that appears to have fooled Comet into following some hidden commands, including searching for a user’s email address and navigating to a hacker controlled website.

Brave also uncovered a similar prompt injection exploit affecting the Fellou browser: when Fellou was simply instructed to navigate to a hacker controlled webpage, it read concealed instructions on the site and executed them — in the demo it accessed a user’s email inbox and transmitted the subject line of the most recent message to the attacker controlled site.

Brave notes that, although the Fellou browser shows some resistance to hidden-instruction attacks, it still treats visible web page content as trusted input for its large language model (LLM). Surprisingly, they found that merely instructing the browser to visit a website causes it to send the site’s content directly to its LLM.

The upside is that users can often intervene and halt the attack, especially since it becomes fairly noticeable while the AI is processing the task. Nevertheless, Brave emphasizes that this research highlights how “indirect prompt injection is not an isolated issue, but a systemic challenge for the entire class of AI-powered browsers.”

Brave warned that the most alarming aspect of these vulnerabilities is that an AI assistant can operate with the user’s authenticated privileges. “An agentic browser hijacked by a malicious site can access a user’s banking, work email, or other sensitive accounts,” the company tweeted.

In response, Brave is urging AI browser developers to adopt stronger safeguards, including requiring “explicit consent from users for agentic browsing actions like opening sites or reading emails”—a practice OpenAI and Microsoft have already implemented to some degree.

Brave reported the vulnerabilities to both Perplexity and Fellou. Fellou did not immediately respond to requests for comment. Perplexity, however, told PCMag: "We worked closely with Brave on this issue through our active bug bounty program (the flaw is patched, unreproducible, and was never exploited by any user)."

Perplexity also pushed back against Brave’s framing of the issue, saying: "We've been dismayed to see how they mischaracterize that work in public. Nonetheless, we encourage visibility for all security conversations as the AI age introduces ever more variables and attack points. We're the leaders in security research for AI assistants."

Source: PC MAG

Cite this article:

Priyadharshini S (2025), AI Browsers at Risk: A Single Malicious Image Could Compromise Security, AnaTechMaz, pp.854