In a nutshell: Prompt injection differs fundamentally from traditional hacking. Instead of malicious code, the attack relies on carefully crafted words. This shift highlights the unique security challenges AI introduces to widely used platforms such as web browsers.
Artificial intelligence is becoming increasingly integrated into everyday technology, including web browsers. However, new research from Malwarebytes raises concerns that this shift could enable novel attacks that rely not on code, but on language.
At the heart of the issue is a technique called prompt injection, a method of tricking large language models into executing hidden instructions embedded within otherwise benign content. Malwarebytes' findings suggest that as browsers incorporate AI assistants capable of deeper interaction with websites, they may also become more susceptible to this type of manipulation.
LLMs are designed to follow user prompts – whether that's a typed question, a request for a summary, or a command – to perform a task. The problem is that these models don't always draw a clear boundary between internal instructions, such as developer-imposed rules against malicious behavior, and external input provided by users or third-party content.
Why is no one talking about this?
– zack (in SF) (@zack_overflow) August 23, 2025
This is why I don't use an AI browser
You can literally get prompt injected and your bank account drained by doomscrolling on reddit: https://t.co/keiz7bL2XX pic.twitter.com/aGN8xrdZtD
That weakness creates an opening for adversaries. Prompt injection relies on linguistic trickery: instead of exploiting software bugs, attackers embed carefully crafted commands within text or data. When an AI system ingests that text – say, from a web page or PDF – it may interpret the instructions as legitimate and execute them as if they came from the user.
Malwarebytes' research demonstrated how seemingly ordinary websites or social media comments could smuggle these prompts into an AI browser's command stream, potentially leading to unauthorized actions. One method involves invisible formatting, such as hiding instructions in white text on a white background. Humans won't notice the deception, but the AI might.
The risks grow as browsers evolve from simple AI helpers into what researchers describe as agentic browsers. An AI browser merely augments existing functionality: summarizing articles, answering questions, or streamlining searches – tasks that still rely on user oversight.
Agentic browsers, by contrast, are designed for autonomy. Instead of waiting for manual clicks, they can perform multi-step actions online, such as booking flights, managing accounts, or making purchases. With the right permissions, an agentic browser can interact with websites as a user's proxy, sending payment details or filling in sensitive information with minimal real-time supervision.
The convenience is obvious. A person might ask an agentic browser to find the cheapest flight to Paris in the coming month and book it automatically. But the security implications are equally stark: if the system encounters a maliciously crafted site, it could inadvertently hand over payment credentials or initiate transactions the user never intended.
In separate research, Brave's AI assistant, Leo, was used to explore these risks. The company reported that Perplexity's experimental Comet browser showed vulnerabilities when tested against indirect prompt injection attacks. In these cases, the harmful instructions weren't typed by the user but embedded in external content the browser processed along the way.
According to Brave, these vulnerabilities highlight a broader industry challenge: ensuring that agentic systems can distinguish between user-issued commands and background material encountered during browsing. Without that distinction, attackers can use text content as an attack vector.
Perplexity has attempted to patch Comet against these attacks twice, but Brave said the fixes still don't fully resolve the underlying issue.
Researchers argue that stronger filters and stricter separation of input channels are essential to protect agentic browsers from prompt injection. Until those safeguards mature, experts recommend exercising caution.
Safe practices include limiting permissions granted to agentic browsers, keeping software updated, and reviewing website sources before allowing automated interactions. Strong authentication methods such as multi-factor logins can reduce the impact if credentials are stolen, while monitoring activity logs can help detect anomalies early. Security analysts also advise against delegating high-stakes actions, like large financial transactions, without human confirmation.
