Are AI browsers safe? The prompt-injection risk in Atlas and Comet
AI browsers like ChatGPT Atlas and Perplexity Comet can act on your behalf, clicking, typing, and moving across your tabs. That is exactly what makes them powerful, and exactly what makes them risky. In 2026, security researchers demonstrated real attacks, and even the vendors admit the core problem may never be fully solved. Here is the honest picture, and how to use an AI browser without getting burned.
The short answer
- Safe for low-stakes use: reading, research, and summarizing are fine.
- Risky when the agent acts: the danger is prompt injection, hidden instructions that hijack the assistant inside your logged-in sessions.
- Not fully fixable yet: OpenAI itself said in February 2026 that prompt injection in AI browsers may never be fully patched.
- The rule: use them for reading; do sensitive actions (email, banking) yourself, not through the agent.
Why AI browsers are uniquely risky
A normal browser shows you a page and waits. An agentic AI browser reads the page and can act on it: fill forms, click buttons, move between your open tabs, and use whatever you are logged into. That agency is the whole selling point, and it is also the vulnerability. If an attacker can slip instructions into something the browser reads, they can potentially make the agent act, using your identity and your logged-in access, without you approving it.
This is different from a normal web security bug. The threat is not just a malicious download; it is your own AI assistant being quietly redirected by content it treats as trustworthy. That is why 2026's security research has focused on AI browsers specifically.
The main threats
Prompt injection
Hidden instructions in a page, email, or document, sometimes in invisible elements, that hijack the agent and make it act without your intent. This is the central risk.
Session hijacking
Because the agent uses your logged-in sessions, a successful injection can trigger actions inside accounts you are signed into.
Memory poisoning
Corrupting the agent's stored context so it carries a malicious instruction forward into later, unrelated tasks.
Data exposure
Coaxing the agent into reading and leaking sensitive information it can see across your tabs, from emails to account details.
What researchers actually found in 2026
This is not theoretical. Multiple security teams demonstrated working attacks on the leading AI browsers this year:
A UW team studied seven popular agentic browsers and found that four could be made to bypass the same-origin policy, a foundational web security protection. A proof-of-concept attack on ChatGPT Atlas, plus conditions in three other browsers, let embedded malicious content access sensitive data.
Brave demonstrated indirect prompt injection against Perplexity Comet: attackers hid adversarial instructions in invisible page elements that caused Comet to execute sensitive cross-site actions, including fetching one-time passwords from email and accessing banking portals.
OpenAI launched a Lockdown Mode for ChatGPT and publicly acknowledged that prompt injection in AI browsers "may never be fully patched." Perplexity's security team separately said the problem is severe enough that it "demands rethinking security from the ground up."
How to use an AI browser safely
You do not have to avoid AI browsers, but you should treat the agent's power as the thing to manage. A practical safety checklist:
- Use them for reading, not sensitive doing. Research, summaries, and browsing are low-risk; letting the agent act inside email, banking, or work admin tools is where injection bites.
- Turn on lockdown or restricted mode if the browser offers one, and keep agent mode supervised rather than fully autonomous on anything important.
- Use a separate browser profile without saved logins for agentic tasks, so a hijacked agent has nothing sensitive to reach.
- Do the sensitive step yourself. When a task involves passwords, payments, or private data, complete that part in a normal browser rather than delegating it.
- Be skeptical of pages that seem to talk to the assistant. Content designed to instruct an AI is a red flag.
For the technical side of how these attacks work and how builders defend against them, see our guide to prompt injection and prompt safety.
Deciding which AI browser to use?
See how ChatGPT Atlas and Perplexity Comet compare on features, price, and use case.
So, are they safe enough to use?
For most people, yes, with limits. The risk is real and researcher-proven, but it is concentrated in one place: letting the agent act autonomously inside sensitive, logged-in sessions. Use an AI browser for what it is genuinely great at, reading, researching, and summarizing the web faster, and keep the high-stakes actions in your own hands until the security model matures. The vendors are improving it, but by their own admission the problem is not fully solved, so the safest posture in 2026 is to enjoy the assistant while keeping it away from your most sensitive accounts.
FAQ
Are AI browsers safe to use in 2026?
Safe enough for low-stakes browsing, but risky when the agent acts on your behalf. The core issue is prompt injection. A UW study found four of seven agentic browsers could bypass the same-origin policy, and OpenAI says the risk may never be fully patched. Use them for reading and research; be cautious about agent actions inside email or banking.
What is prompt injection in an AI browser?
Hidden or malicious instructions in content the browser reads (a page, email, or document, sometimes in invisible elements) that hijack the agent into doing something you did not ask for. Because the agent uses your logged-in sessions, a successful injection can trigger sensitive actions, as Brave demonstrated against Comet.
Is Atlas or Comet more secure?
Both have documented vulnerabilities, so neither is clearly safe. Researchers demonstrated attacks on each. The safer choice is less about the browser than how you use it: limit what the agent can touch.
How do I use an AI browser safely?
Use it for reading and research, not sensitive doing; turn on lockdown or restricted mode; keep agent mode supervised; use a separate profile without saved logins for agentic tasks; and do password, payment, or private-data steps yourself in a normal browser.
Can prompt injection be fixed?
Not completely yet. OpenAI acknowledged in February 2026 that it may never be fully patched, and Perplexity said it demands rethinking security from the ground up. Mitigations reduce the risk, but as long as an agent reads untrusted content and can act for you, some exposure remains.
Bottom line
AI browsers are one of the most useful tools of 2026 and one of the least settled on security. The convenience of an assistant that acts for you is inseparable from the risk that someone else can make it act, and researchers have shown, on both ChatGPT Atlas and Perplexity Comet, that prompt injection is not hypothetical. Use AI browsers for reading, research, and summarizing where they shine, keep the agent away from your email, banking, and other sensitive logged-in sessions, turn on any lockdown mode, and do the high-stakes steps yourself. Enjoy the assistant, but do not hand it the keys to everything, at least not yet. Compare the two leaders in ChatGPT Atlas vs Perplexity Comet, and go deeper on the mechanics in prompt injection and prompt safety.