How to Use AI Browsers Without Getting Hacked

Wait 5 sec.

For the past few days, I’ve been poking around every AI browser I could get my hands on. So far, I’ve performed general research tasks on Perplexity Comet and used ChatGPT Atlas to successfully navigate an Amazon checkout. I even spent some time familiarizing myself with the new Dia browser from the developers of Arc.As I've explored these browsers, I've been mindful of the many security risks to contend with: Prompt injection, where malicious AI prompts are hidden in a website or browser extension’s HTML source code, is the most obvious threat. But there are also cases of AI agents acting without a user’s permission to access your logged-in accounts. Moreover, AI browsers can leak data between browser tabs and hand over user credentials on clever prompting without even using any malicious code. But despite the risks, there are legitimate ways to experiment with AI browsers without compromising your privacy. In fact, most of these browsers have optional features you can enable to both beef up your security and keep the apps from having more access than they need. If you're going to use an AI browser on your device, here's what you need to know to protect yourself.What makes AI browsers a security risk?A regular web browser can only open a page for you after you make the request. You still decide which sites to navigate to and what buttons to interact with. With AI browsers like Atlas or Comet, the browsers themselves scan and analyze a web page for you, summarize information, and even act autonomously to execute tasks in agent mode. These things make AI browsers very convenient for daily use, but they also expose them to new vulnerabilities, as attackers can now manipulate the browser to access your accounts and data much more easily. AI prompt injection is the most popular example, since bad actors simply need to hide malicious instructions within websites for it to work. Even the official OpenAI documentation warns against using Atlas with production data because of prompt injection fears. Worse still, prompt injection attacks require no compromising action on your part. Simply navigating to a web page that has these AI prompts hidden in layers of source code is all it takes. You won’t even see the malicious instructions while you’re browsing the web page, but your browser will read the invisible instructions and automatically do what it tells them without asking for verification or consent from you.Brave’s security team used several prompt injection attacks to demonstrate issues with Perplexity Comet, which has since been termed CometJacking. In one particular case, Comet dug up its user's email address, obtained a one-time password from their inbox, and forwarded it to an attacker without anyone the wiser. All it took was a request to summarize a Reddit thread that had malicious prompts hidden in it. ChatGPT Atlas has also revealed similar vulnerabilities. Security researcher Johann Rehberger got the browser to switch from light mode to dark mode using a simple command hidden inside a Word document that he asked the browser to read. As LayerX explains, Atlas is also susceptible to cross-site request forgery (CSRF), where a malicious web page can send instructions to your browser as if you had typed them yourself. Moreover, AI browsers don’t use the same blocklists and heuristics as traditional ones to flag known phishing websites, so they’re more likely to let you access a scammer’s website without blocking it. LayerX says Atlas users are 90% more susceptible to these types of attacks compared to Chrome or Edge users. Automated checkouts carry a direct financial risk. While AI browsers are relatively new, Amazon already won a court injunction to prevent Comet from completing checkouts for users on its websites, because it’s known to bypass certain security measures put in place to prevent financial fraud. Enable built-in browser settings for better safetyAI browsers carry too many vulnerabilities and loopholes for regular usage, but that doesn’t mean you can’t use them at all without compromising your data. There are many built-in privacy settings you can enable for extra protection, along with some general best practices for safe browsing that can be particularly useful. Before you start using an AI browser, make sure that it’s configured correctly to get rid of the biggest loopholes that attackers tend to use. Here’s what I discovered to be most effective. Disable data sharing so AI browsers don’t train models on your dataAlmost every AI browser uses your browsing patterns and search history to train future iterations of its AI models, so it’s effectively getting better at doing things by learning from your day-to-day tasks. That means all your browsing data is being sent to the browser’s developers by default unless you specifically opt out. Luckily, browsers that train models on your data also give you the option to disable training, at least on paid plans. This is always the first feature you should turn off if you use AI Browsers. ChatGPT Atlas: Navigate to Settings > Data Controls and disable Improve model for everyone to disable model training. You can also selectively opt out of letting ChatGPT use your browsing history or audio recordings of chat sessions for model training here. Perplexity Comet: Go to New Tab Page > Account > Preferences. Toggle off AI data retention to opt out of model training from Perplexity. Dia: From your browser window, visit Settings > Privacy. Disable the option that says Share content data to improve Dia.Keep your browser from accessing your logged-in sessions Using the Logged out version of Agent mode with ChatGPT Atlas Credit: OpenAI/ChatGPT As we saw with the Comet demonstration, AI browsers can be manipulated into accessing your logged-in accounts on different websites and retrieving sensitive information through prompt injection. Depending on their level of access, they can also go into your accounts to execute certain actions without your knowledge, like sending an email or downloading a file. In ChatGPT Atlas, you can specifically prevent the AI from accessing your logged-in browser sessions in Agent Mode, so that it’s forced to ask for your credentials each time it needs to log into an email account or social media profile. While there’s no exact equivalent to this feature with Comet or Dia, those browsers also offer controls that let you decide how much access your agent can have. ChatGPT Atlas: When you start a new chat inside ChatGPT Atlas, choose Agent mode from the + menu. Right next to the + menu, you’ll now see a dropdown that lets you switch between Logged in and Logged out to control whether the AI agent has access to your logged-in browser cookies. If you choose to stay logged out, Atlas won’t be able to access your active sessions by default, instead prompting you to log in manually if your task requires access to a user account. Perplexity Comet: In Comet, there’s no universal toggle that restricts access to logged-in sessions. Perplexity notes that Comet does not have access to your passwords since those are only stored in your operating system’s vault, but it can still use your active sessions to pull sensitive information from logged-in accounts or execute tasks using those accounts. So, your best bet is to use Incognito mode when logging into any websites with the Comet browser, so you don’t stay logged in after you quit. Dia: Like Atlas and Comet, Dia is also vulnerable to CSRF, prompt injection, and memory poisoning attacks that allow hackers to hijack your logged-in account sessions. Like Comet, Dia does not have a dedicated Logged out mode, and the AI is designed to access all your logged-in sessions by default to automate web-based tasks. Once again, you should use the browser’s incognito mode whenever you log into an account. You can also navigate to Privacy and security > Delete browsing data from dia://settings/ to delete your existing session cookies and log out of all active accounts. Turn off persistent memory unless you really need itWith standard prompt injection attacks, AI browsers read an attacker’s instructions and execute them only a single time. But there’s a more sophisticated form of prompt injection called memory poisoning. Attackers inject malicious instructions into your AI’s account-specific memory, which is retained across all your devices in each and every session. For example, an attacker could use memory poisoning to have your browser leak your most recent emails each day, instead of just the one time it reads malicious instructions. Hackers can use this tactic to compromise your data and hijack access across multiple devices where you use the same AI browser, which is even more of a threat with cross-platform browsers like Comet and Dia. ChatGPT Atlas: Go to Settings > Personalization. Toggle off Reference browser memories to prevent ChatGPT from retaining any memory from your previous chat sessions. This will effectively prevent it from getting better at your tasks by learning from your data, but it will also shield you from attacks that specifically target this feature. OpenAI notes that ChatGPT Atlas has built-in security filters that restrict access to sensitive information like government ID, bank account or credit card numbers, and SSNs. But disabling browser memories entirely offers much better safety. If that feels too extreme, you can also use incognito mode when performing any tasks that you’d rather not have relegated to your browser memory, or go to Settings > Personalization > View browser memories to delete or archive memories you don’t want retained. Perplexity Comet: You can go to comet://settings/ > Privacy and security > Delete browsing data to clear your browsing history, cache, and cookies. To delete saved AI memories from your Perplexity account, you can navigate to New Tab Page > Account > Preferences > Memory, where you can choose to disable memory retention by toggling off Use search history and Notes. You can also click Manage memories to alter or delete specific memories. Dia: If you click on the Personalization button in a new tab, Dia will take you to a page where you can adjust how memory gets used. Toggle off Personalize new chats so Dia can’t draw from its preexisting memory when you start new conversations. If you want to clear or disable memory retention altogether, you can go to Settings > Memory, then click Reset Memory or Disable Memory. Restrict what agents can access on sensitive sites Restrict access to sensitive sites when using Comet Credit: Perplexity AI With Atlas, hardcoded limits prevent the browser from running code, downloading files, installing extensions, or accessing your device’s file system by default. With Comet and Dia, things are kept more open-ended, though they both offer some protection from letting your agents handle sensitive financial data by default. But if you’d like to take this a step further, you can disable agent access to sensitive websites like banking and healthcare platforms, so that they can’t see anything or take actions on these sites. Doing this fully insulates you from prompt injection attacks aimed at these platforms. ChatGPT Atlas: Go to Settings > Personalization. You’ll see an option called ChatGPT page visibility. If you click on it, you can add a list of websites where your agents won’t be able to access any data or take actions even when prompted. But you’ll still be able to access these sites using the browser manually. Perplexity Comet: You can adjust Comet’s permissions on a more granular level to prevent it from performing specific tasks on certain websites. Go to Settings > Privacy and security, then take a look at the options under Comet Assistant to find Block personal search for these websites. This should give you more options to configure which websites Comet can navigate to and interact with, as well as whether it can access your browser history by default. Dia: You can visit dia://settings/ > Privacy and security > Site settings to control all site permissions on an individual level. However, this does not prevent agents from seeing the data on these websites. To prevent Dia from gaining access to data from sensitive sites, it’s better to just avoid logging into any private accounts unless in incognito mode. A few additional best practices for AI browser safetyGenerally speaking, the less data and permissions that your agentic browser has access to, the less damage it can do during an attack. Apart from the built-in security settings described above, there are some general best practices that I like to follow whenever using a browser like Atlas, Comet, or Dia:Keep using your regular browser, like Chrome or Firefox, for most day-to-day work. Maintain a separate profile for AI browsers with no sensitive logins just for running AI browsing tasks.Don’t download AI browsers or AI browser extensions from unofficial sources or third-party marketplaces. Hackers are floating a lot of fake and malicious software in this space, so keep to the official sources to reduce exposure. Avoid accessing user-generated content platforms like Reddit with your AI browser, which are a haven for prompt injection attacks. But if you must do it, make sure to restrict your agents from seeing or accessing anything on these sites. Don’t copy-paste long strings of text or URLs into your AI browser without verifying them first. Attackers can bury prompt injection attempts in longer URL strings. This is a very common exploit from hackers targeting Atlas’ Omnibox, the browser's search and prompt bar combo.When asking an agent to execute multi-step workflows, always keep an eye on what it’s doing and use the pause or interrupt controls to stop any suspicious activity as soon as you spot it. For sensitive platforms like financial websites or workplace communication apps, enable two-factor authentication on your account to prevent agents from logging in without your knowledge.