The so-called “intermediary” AI browsers – that is, browsers that not only read for us, but also click, log in, fill out forms and even make purchases – seem astonishingly useful. However, according to the latest research, it is precisely this comfort that has become their greatest weakness. Security experts warn that these browsers can easily be tricked into executing hidden, malicious instructions without the user’s knowledge. This is the so-called “quick injection” attack, and is no longer a theory: it has been successfully demonstrated in several specific browsers, including Perplexity Comet and an AI browser called Fellou.
Hidden commands in screenshots
One of the most serious vulnerabilities just discovered is a Perplexity Comet’s assistant it affects Comet is able to analyze screenshots: the user takes a screenshot of a web page, uploads it and asks the AI to explain its content. The problem starts when the image shows not only the text the user sees, but also any vague, hidden, or hard-to-see instructions that an attacker has smuggled into the background. The researchers found that the AI does not treat these invisible texts individually, but instead interprets them as commands and tries to act on them – for example, to access pages or accounts opened elsewhere or to retrieve data.
This is especially dangerous because such browsers are often already logged into bank, email or corporate accounts. In other words, we’re not talking about a fictional science fiction scenario: in theory, a screenshot of an innocent-looking website could suffice “analyze” with the browser’s built-in AI, opening the door for an attacker. According to experts, this is not traditional hacking, not classic malware, but manipulation: the AI receives instructions, and the AI obeys.
If it is enough to just open a page
Another type of problem has been detected in the Fellou browser. There was no need to hide invisible tricks in the background. It was enough for the user to ask the browser: “open this website”. The researchers found that the browser automatically sends the entire text of the opened page to its own language model for background processing and treats this content as trustworthy. If instructions are intentionally placed on the page (“do this”, “enter here”, “send this information“), then the browser can easily prioritize these instructions over the user’s original request.
Important: it is no longer necessary to ask for this separately “Summary of the page”. Simply visiting the page is enough for the model to encounter the text commands written by the attacker and treat them as part of its own operating logic. This difference makes the current situation much more serious than traditional phishing attempts.
Related content: What happens if artificial intelligence spends the money itself?
Why is this different from a normal virus or phishing?
Malicious code is typically found in classic browsers “touches boundaries”: the browser does not allow a foreign website to simply click on our banking page or look at our correspondence. This is what we call, among other things “same origin policy”that is, one page cannot go to another. AI browsers, on the other hand, often work like an assistant that sees everything we’re logged in to – and can perform actions for us even between multiple tabs in the background. If this assistant can be misled, the old protection rules will suddenly be circumvented.
According to the researchers, this is why this type of browsing – the so-called “agent browsing”where the system actively acts on behalf of the user is currently inherently risky and should be treated as such. Until there is a comprehensive, industry-wide security solution, users should be careful about what they allow AI to do: for example, whether they really trust it to log into a bank, browse internal corporate systems, or view confidential emails.
Where can there be a way out?
The suggestions from the developer’s side point in one direction: there should be a clear boundary between the user’s request and the content collected through the website. In Hungarian: the browser is allowed to use the “Complete this page” type a user request and the hidden text of an unknown page. Instead, the browser should work in strictly controlled, isolated steps and only automatically perform an action (such as opening another page, logging in, copying data) if the user has specifically given permission to do so.
The researchers also warn that until this change in industry attitudes takes place, AI browsing is closer to an experimental technology than a mature, secure everyday tool.
#security #vulnerability #browsers