AI browsers are here, and they're being hacked (www.nbcnews.com)

AI-infused browsers from OpenAI, Perplexity, Opera (Neon) and others have debuted, letting built-in agents read pages, summarize content and act on logged‑in accounts — but researchers warn they’re vulnerable to simple “prompt injection” hacks. Attackers can hide instructions in webpages (invisible text, spoiler tags or color-matched text inside images) that are ignored by humans but parsed by agents; Brave demonstrated exploits against Neon and Perplexity’s Comet that could, for example, exfiltrate a user’s email if the agent was allowed to access the user’s account. Firms have patched some bugs and say they use red‑teaming and layered defenses, while OpenAI offers a logged‑out mode that mitigates damage at the cost of much functionality. This matters because AI browsers fundamentally expand the attack surface: agents routinely scan page content and can act on sensitive services (email, banking, shopping), turning well-known LLM prompt‑injection risks into practical account‑takeover pathways. The situation is an evolving cat‑and‑mouse—researchers keep finding new injections and vendors keep patching—so the community needs stronger mitigations (robust input filtering, strict permission models, provenance checks, sandboxing, and clearer UI for agent actions) as well as ongoing red‑teaming. Until defenses mature, users and developers must weigh automation convenience against significant new security and privacy trade‑offs.