Please stop using AI browsers (www.xda-developers.com)

A new generation of “AI browsers” — Perplexity’s Comet, OpenAI’s ChatGPT Atlas, Opera Neon and others — embed large language models (LLMs) as agentic assistants that can read pages, chain multi‑step workflows and act on your behalf (book tables, send emails, fill forms). While this promises huge usability gains, it fundamentally changes the browser security model: the assistant bridges the control plane (what the browser can do) and the data plane (what it can see), giving an LLM access to authenticated sessions, emails, tokens and cross‑site context that traditional same‑origin protections were designed to prevent. That combination creates easily exploitable vectors unique to LLMs. Prompt injection attacks — hidden or crafted instructions in page text, HTML comments, images or even parts of a URL — can “jailbreak” the assistant into following attacker commands. Real demos (Brave, LayerX) show Comet leaking a user’s Perplexity email, attempting logins and exfiltrating past interactions via a single malicious URL (“CometJacking”). Because LLMs are non‑deterministic pattern predictors, mitigations (filters, prompt analyzers, evaluators) are brittle and patching becomes whack‑a‑mole. For the AI/ML community this signals an urgent need to redesign agent architectures: stronger sandboxing, strict privilege separation, verifiable control channels and new evaluation layers — otherwise agentic browsing will remain a high‑risk vector for data leakage and account takeover.