Did you know you can customize Google to filter out garbage? Take these steps for better search results, including adding Lifehacker as a preferred source for tech news.
AI continues to take over more and more of our day-to-day activities: Anthropic recently announced a Chrome extension that allows Claude AI to see browser activity and run actions on behalf of users, while Perplexity’s Comet is an AI-powered browser that the company calls both a “personal assistant” and a “thinking partner.”
Agentic browsers may be able to do a lot of things for you, such as scheduling meetings, replying to emails, and ordering DoorDash, but handing all of this control (and personal information) over to AI comes with potential security risks. One of these is a prompt injection attack, which allows hackers to trick the AI into following their instructions instead of yours.
What is a prompt injection attack?
A prompt injection attack is when hackers disguise malicious inputs to AI as legitimate ones, so generative models are tricked into divulging sensitive data or taking harmful action.
As IBM describes, large-language models (LLMs) are given sets of instructions—system prompts—for how to handle user inputs. These two elements are combined into a single command, both written in natural language, which means that the LLM cannot separate which part of the command is the system prompt and which comes from the user. If threat actors create an input that bears enough resemblance to a system prompt, it could supersede the legitimate developer instructions and force the LLM to follow the fake ones.
In practice, this may involve hiding malicious prompts on a webpage the LLM is likely to read in order to carry out an action. The content, which could be plain text or embedded in an image or PDF, may look harmless or be invisible to users (employing white text on a white background, for example). Hackers don’t need code to carry out a prompt injection attack—just the right words in the right place.
How prompt injection compromises agentic browsers
While browsers with AI integration still require some manual input to complete tasks, agentic browsers act more like autonomous assistants that can follow entire workflows without user approval. That means that there’s no safeguard of human review before AI potentially shares your information, runs a malicious program, or spends money on a fraudulent purchase.
What do you think so far?
An example from Malwarebytes Labs: You ask your agentic browser to find and book a cheap flight for your next vacation. If it has all of your passenger and payment information available (because you’ve provided it), AI can complete this request without any additional action from you. But if the cheapest flight is found on a malicious website set up for this purpose, the browser could hand your credit card number and other sensitive data directly to the scammers.
A recent report from researchers at Brave (which has its own AI assistant) outlines particular concern about Perplexity’s Comet, with tests showing that the agentic browser is vulnerable to prompt injection attacks and hasn’t yet fixed the issue. Anthropic, for its part, has acknowledged its vulnerabilities and notes that it is working on safeguards to minimize them.
How to safely use agentic browsers
Mitigating prompt injection attack risks falls largely on the developers of agentic browsers rather than the user, with security experts recommending higher standards for user interaction and distinguishing between a user’s request and other content consumed to carry out an task.
That said, while Perplexity and Anthropic and others address these issues on their end, you can put guardrails in place against prompt injection, such as limiting the data and accounts your agentic browser can access and requiring manual review for high-stakes tasks, such as authorizing payments. Malwarebytes Labs also recommends enabling multi-factor authentication on all accounts connected to agentic browsers, regularly reviewing account and browser activity, and keeping software updated to ensure security flaws are patched in a timely manner.
