AI browser security gaps let malicious sites steal data

A new study from the University of Washington reports that four of seven popular AI browsers can be exploited by malicious websites to steal data from other open sites. The research points to prompt injection and memory poisoning—risks that scale with browser
When you run an AI browser, it doesn’t just look at a page—it tries to act on it. That’s the sales pitch. Summarize what you read, help you plan trips, even complete purchases.
But a study from the University of Washington punctures that excitement with a simpler fear: four of the seven most popular AI browsers on the market can open a door for malicious websites to steal data from other sites you already have open.
The risk is tied to a browser rule older than the modern web. Since 1995, browsers have relied on the same-origin policy to stop websites from reading each other’s data. It’s why a sketchy site in one tab can’t reach into your bank in another.
AI browsers, the researchers say, need broader access to perform tasks across multiple tabs—summaries and actions that require reading across different sites. And that is exactly the gap attackers can exploit.
Two techniques do the damage. The first is prompt injection. A malicious webpage can hide “secret instructions” that an AI agent follows without realizing it has been manipulated. Those instructions can be used to expose private emails, passwords, or calendar details.
The second is memory poisoning. In this scenario, planted instructions get stored in the agent’s memory and can activate later—after the original page is closed. The researchers report a successful proof-of-concept attack on ChatGPT Atlas, showing the threat isn’t just theoretical.
The study also calls out Claude for Chrome as particularly risky because its browser extension design lets it inject code directly into webpages.
From there, the findings move from mechanism to a blunt list of which tools appear safer and which appear riskier.
Out of seven browsers, ChatGPT Atlas, Chrome with Gemini, Claude for Chrome, and Perplexity Comet were found vulnerable.
Microsoft Edge with Copilot, Brave Leo, and Firefox AI Mode showed stronger security properties. The catch: Firefox was also described as the most limited in capability.
The researchers disclosed the findings to all companies involved. Anthropic and Firefox did not respond. Perplexity and OpenAI declined to act, arguing the researchers lacked a complete end-to-end attack demonstration.
Not every company took the same posture. Google, Microsoft, and Brave engaged constructively with the findings.
This is not happening in a vacuum. The research arrives after the BioShocking exploit, which also showed how AI browsers can be manipulated by context.
The picture that emerges is uncomfortable in its simplicity: the more capable the AI browser. the bigger the security risk turns out to be—at least under today’s defenses. For users who want AI to roam across open tabs to do real work. the study suggests that browsers may still be moving faster than their security can keep up.
AI browsers University of Washington study same-origin policy prompt injection memory poisoning ChatGPT Atlas Claude for Chrome Chrome with Gemini Perplexity Comet Microsoft Edge Copilot Brave Leo Firefox AI Mode cybersecurity
So basically AI browsers are like spyware now?
I don’t even get how a website can “steal data from other open sites” like… aren’t those tabs separate? Sounds like they’re breaking the whole point of the internet. Guess I’m just not using any of these AI browser things.
Wait, if it’s prompt injection, that’s like phishing but for the AI part right? I saw something about memory poisoning too and I’m like… does that mean once you get tricked, it remembers forever or until you close the browser?? Also “ChatGPT Atlas” sounds new so why is it already getting hacked.
this is why I don’t trust anything with “AI” in the name. next they’ll say just use incognito and you’ll be fine, even though half the time it still tracks you. Claude for Chrome being risky makes sense cause extensions are always sketchy anyway. I’m sure this affects regular browsing too, not just “AI browsers” like people keep calling them.