A University of Washington team examined seven agentic browsers and found that four created conditions under which malicious actors could bypass the same-origin policy, a browser security rule that has helped protect users since the mid-1990s by preventing one website from reading or manipulating data from another. The study identified ChatGPT Atlas, Chrome with Gemini, Claude for Chrome and Perplexity Comet as products where powerful agent access raised heightened risks, while Brave Leo AI, Microsoft Edge with Copilot and Firefox AI Mode showed more restrictive designs.
The most serious demonstration involved ChatGPT Atlas in Agent Mode. Researchers created a proof-of-concept attack in which a malicious page could use prompt injection to persuade the browser agent to read embedded cross-origin content and submit it through a form. The attack did not use real user data and was carried out in a controlled environment, but its implications are significant because the same pattern could, under certain conditions, expose information from email, corporate dashboards or financial pages.
The issue stems from the way agentic browsers combine web access with language-model reasoning. A conventional browser generally keeps websites apart and leaves the user to decide what to copy, paste or submit. An AI browser agent can read pages, summarise them, navigate tabs, fill forms and act across sites. That added power creates a new risk: hostile text hidden in a webpage, advertisement, iframe or code may be interpreted as an instruction rather than treated as untrusted content.
The University of Washington researchers, Franziska Roesner and David Kohlbrenner of the Paul G. Allen School of Computer Science & Engineering, said the security model for these browsers remains unsettled. Their study was presented at the Agents in the Wild Workshop in Rio de Janeiro and updated in April, with public discussion following in late June. Experiments were conducted in late January and early February on macOS Sequoia using stable versions available at the time.
The technical finding is worrying, but the disclosure process has drawn equal attention. The researchers notified the vendors more than 60 days before publication. Brave, Google and Microsoft engaged with the team. Other responses were more limited, with some vendors declining the report or not providing a substantive reply before publication. That uneven response has sharpened concern that AI browser security is advancing through competitive product launches rather than a mature vulnerability-handling culture.
The study also highlighted memory poisoning, where an AI agent’s stored context may preserve malicious instructions after the original page is gone. If a hostile webpage can place an instruction into the agent’s memory, the agent may act on it later when visiting another site. That creates a delayed attack surface that does not map neatly on to old browser threat models.
The researchers did not argue that all AI browsing features are equally unsafe. Their work found a trade-off between power and restraint. Browsers with limited agent access tended to show stronger security properties but weaker functionality. Systems closer to a full human-like browser operator offered more useful automation, yet also created more opportunities for cross-origin data leakage, action forgery and prompt-driven manipulation.
The findings arrive as major technology companies push AI agents deeper into consumer and enterprise workflows. Perplexity’s Comet has been promoted as an AI-first browser for research and productivity. OpenAI’s Atlas is designed to blend ChatGPT with web navigation. Google is building Gemini into Chrome. Anthropic has tested Claude through browser access, while Microsoft, Brave and Mozilla have taken more guarded approaches through assistant-style browser integrations.
Enterprise security teams are likely to view the findings as a warning against giving agentic browsers access to authenticated sessions, internal tools or financial systems without stronger controls. A browser that can see logged-in content, remember instructions and act across tabs becomes a privileged software layer. If its agent cannot reliably distinguish user intent from malicious page content, traditional safeguards become less dependable.
Topics
Technology