Brave Software, founded in 2016, has recently published groundbreaking research. This study further identifies the systemic vulnerabilities associated with AI-powered browsers, in particular focusing on issues related to indirect prompt injection attacks. These attacks are an emerging and growing threat as the adoption of AI agents for web browsing remotely proliferates. The study calls out a critical lack of security solutions. User credentials will increasingly be low-hanging fruit for bad actors.
Rachel Tobac, CEO of SocialProof Security, stated the alarming possibility of abuse AI browsers could facilitate to user accounts. She explained that these platforms could become a lure for attackers looking to target weaknesses in the ways users manage their credentials. With each iteration of AI technology, the surface area attack for security heightens exponentially requiring a deep understanding and holistic approach to protecting user data.
With the emergence of AI agents, prompt injection attacks have emerged, presenting new challenges to developers and users. Shivan Sahib is a senior research and privacy engineer at Brave. He noted the extent to which these attacks can undermine users’ safety and privacy, saying, “these attacks are not just experiments. The early instances of such attacks involved embedding hidden text within web pages that instructed the AI to “forget all previous instructions,” thereby manipulating its decision-making process.
Brave’s analysis underscores just how dangerous prompt injection attacks can be. It highlights a frustrating reality — clear solutions to completely prevent these attacks don’t yet exist. Likewise, Dane Stuckey, OpenAI’s Chief Information Security Officer, echoes this sentiment. He acknowledges the security concerns resulting from the recent implementation of “agent mode” in ChatGPT Atlas, Sahib’s new web browser powered by ChatGPT. Stuckey acknowledged that prompt injection is still a somewhat “unsolved security problem.” He worries that adversaries are already spending a significant amount of time and money trying to leverage these flaws.
Sahib remarked on the dual nature of AI-powered browsers, stating, “There’s a huge opportunity here in terms of making life easier for users, but the browser is now doing things on your behalf.” This raises an important tension between convenience and security that should be kept in mind when designing AI technologies.
We know that cyber threats are growing in sophistication. That’s why thought leaders like Rachel Tobac are calling for users to be proactive and safe when using AI browsers such as ChatGPT Atlas and Comet. She suggests restricting access to sensitive accounts that involve banking, health, and other personal information when using these platforms. These are just a few measures that can be taken to minimize and prevent risks from prompt injection attacks.
Steve Grobman, Chief Technology Officer at McAfee, similarly expressed concern about the topic. He noted that one of the things that large language models can’t do is actually understand the context and source of any given prompt. This built in limitation opens up even more avenues for bad actors to take advantage of flaws in AI systems.
Brave’s research illustrates a deeply worrisome state of security for browsers that have implemented AI-powered features. According to the company’s respective findings, these technologies have the potential to greatly improve efficiency and convenience. At the same time, they open up new vulnerabilities that cybercriminals can exploit.
The realities of this relentless shift in web technology demand a re-assessment of security approaches. As Perplexity’s security team noted in a recent blog post, addressing these challenges “demands rethinking security from the ground up.” We are admittedly hopeful for the future, but desperately fearful for how these changes – unintended or not – will impact our everyday browsing and the entire open web.