AI browsers face a security flaw as inevitable as death and taxes (www.theregister.com)

Several security researchers have demonstrated that new “AI browsers” and agentic chatbots (notably OpenAI’s Atlas, plus Comet and Fellou) are vulnerable to prompt injection and related web attacks that let attackers make models act on their behalf. Prompt injection—where attacker-controlled text becomes an instruction for an LLM—can be direct (pasted into an omnibox or input) or indirect (hidden in web pages, images, PDFs or Google/Word docs the bot is asked to summarize). Exploits have shown browsers opening Gmail, reading the top email subject, and sending it to attacker-controlled URLs; changing UI settings; executing commands from crafted URLs in the address bar; and even cross-site request forgery (CSRF) that issues actions as an authenticated user and persists in ChatGPT’s memory. Researchers also showed session-level poisoning (e.g., secretly altering future math results), illustrating how injections can create covert, persistent harms. This matters because AI is growing more “agentic” — given permissions to access email, files, cloud drives, and purchase systems — so successful injections can lead to data exfiltration, unauthorized actions, or deletion. Experts warn prompt injection can’t be fully eliminated whenever untrusted data is fed to LLMs. Practical mitigations include strict least-privilege tooling, mandatory human confirmation for sensitive actions, vetting or sanitizing ingested sources, sandboxing downstream operations, logging/monitoring, and denying instructions that conflict with user intent. Still, researchers caution these measures only reduce risk; training-data backdoors and the expanding attack surface of agentic AI keep the threat persistent.