This is the first post in a series about security and privacy challenges in agentic browsers. This vulnerability research was conducted by Artem Chaikin (Senior Mobile Security Engineer), and was written by Artem and Shivan Kaul Sahib (VP, Privacy and Security).
The threat of instruction injection
At Brave, we’re developing the ability for our in-browser AI assistant Leo to browse the Web on your behalf, acting as your agent. Instead of just asking “Summarize what this page says about London flights”, you can command: “Book me a flight to London next Friday.” The AI doesn’t just read, it browses and completes transactions autonomously. This will significantly expand Leo’s capabilities while preserving Brave’s privacy guarantees and maintaining robust security guardrails to protect your data and browsing sessions.
This kind of agentic browsing is incredibly powerful, but it also presents significant security and privacy challenges. As users grow comfortable with AI browsers and begin trusting them with sensitive data in logged in sessions—such as banking, healthcare, and other critical websites—the risks multiply. What if the model hallucinates and performs actions you didn’t request? Or worse, what if a benign-looking website or a comment left on a social media site could steal your login credentials or other sensitive data by adding invisible instructions for the AI assistant?
To compare our implementation with others, we examined several existing solutions, such as Nanobrowser and Perplexity’s Comet. While looking at Comet, we discovered vulnerabilities which we reported to Perplexity, and which underline the security challenges faced by agentic AI implementations in browsers. The attack demonstrates how easy it is to manipulate AI assistants into performing actions that were prevented by long-standing Web security techniques, and how users need new security and privacy protections in agentic browsers.
The vulnerability we’re discussing in this post lies in how Comet processes webpage content: when users ask it to “Summarize this webpage,” Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s instructions and untrusted content from the webpage. This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands. For instance, an attacker could gain access to a user’s emails from a prepared piece of text in a page in another tab.
How the attack works
Setup: An attacker embeds malicious instructions in Web content through various methods. On websites they control, attackers might hide instructions using white text on white backgrounds, HTML comments, or other invisible elements. Alternatively, they may inject malicious prompts into user-generated content on social media platforms such as Reddit comments or Facebook posts. Trigger: An unsuspecting user navigates to this webpage and uses the browser’s AI assistant feature, for example clicking a “Summarize this page” button or asking the AI to extract key points from the page. Injection: As the AI processes the webpage content, it sees the hidden malicious instructions. Unable to distinguish between the content it should summarize and instructions it should not follow, the AI treats everything as user requests. Exploit: The injected commands instruct the AI to use its browser tools maliciously, for example navigating to the user’s banking site, extracting saved passwords, or exfiltrating sensitive information to an attacker-controlled server.
This attack is an example of an indirect prompt injection: the malicious instructions are embedded in external content (like a website, or a PDF) that the assistant processes as part of fulfilling the user’s request.
Attack demonstration
... continue reading