New research from the University of Washington has found that several popular AI-powered agentic browsers carry significant cybersecurity vulnerabilities, undermining a foundational web security protocol known as the same-origin policy. The study examined seven agentic browsers and found that four, including ChatGPT Atlas, Chrome with Gemini, Claude for Chrome, and Perplexity Comet, created conditions allowing malicious actors to bypass the protections that normally prevent websites from accessing each other’s data.
Researchers successfully demonstrated a proof-of-concept attack on ChatGPT Atlas, in which one website was able to extract sensitive information from another embedded within it. Browsers granting AI agents fewer permissions were generally found to be safer, with Firefox AI Mode emerging as the least risky option tested, though also the most limited in capability.
David Kohlbrenner, a University of Washington assistant professor and co-senior author of the study, said browser agents with access to sensitive credentials should not yet be trusted to protect user information. Co-senior author Franziska Roesner noted that the same-origin policy has underpinned safe web browsing for three decades, and that the vulnerabilities identified represent a meaningful regression in browser security.
The researchers identified two primary attack vectors: prompt injection, where hidden instructions embedded in malicious webpages manipulate an agent’s behaviour, and memory poisoning, where an agent’s stored information becomes vulnerable to cross-contamination between different website origins.
The findings were shared with the companies involved; Anthropic and Firefox did not respond, while Perplexity and OpenAI declined to comment.
