← All PostsUW Study: 4 of 7 AI Browsers Fail Basic Security Tests
CybersecurityAI tools

UW Study: 4 of 7 AI Browsers Fail Basic Security Tests

July 3, 2026

A University of Washington study just tested seven AI browsers for security. Four failed, including some of the biggest names: ChatGPT Atlas, Chrome with Gemini, Claude for Chrome, and Perplexity Comet.

If you're building on top of any of these, or just using one daily, this is worth five minutes.

The Attack

Researchers built a working proof-of-concept against ChatGPT Atlas in agent mode. One website stole data from another website embedded inside it — the same trick as a malicious ad on an email site reaching into your inbox.

It's a same-origin policy bypass. Browsers have enforced that boundary for decades — site A can't read site B's data. Agentic browsers, it turns out, can be tricked into crossing that line on the attacker's behalf.

The entry point is prompt injection: a malicious page hides instructions in its content, sometimes invisible to the human eye, and the agent reading that page follows them instead of the user's actual request.

Who's Affected

The confirmed proof-of-concept hit ChatGPT Atlas. Researchers found the same underlying preconditions in Chrome with Gemini, Claude for Chrome, and Perplexity Comet — meaning the attack surface exists, even without a fully weaponized exploit for each one yet.

Firefox AI Mode came out safest, mostly because it grants agents the fewest permissions. Less capability, smaller blast radius — a pattern that's going to keep showing up as this space matures.

The researchers disclosed to every vendor with 60+ days notice before publishing. Brave, Google, and Microsoft responded with acknowledgments. OpenAI declined the report on the grounds that it wasn't a full end-to-end exploit. Anthropic, Firefox, and Perplexity hadn't responded as of publication.

What the Researchers Are Saying

"Browser agents aren't ready for the public," said David Kohlbrenner, UW assistant professor and co-senior author. "If these agents have access to a browser that contains your credentials — your email, your bank account, whatever it is — you should not trust that these systems are ready to truly protect your information."

His framing: it's the same social-engineering playbook attackers use on humans, just rewritten for machines that can't yet tell the difference between a user's instruction and text sitting on a webpage.

Why This Isn't Going Away

This tracks with what OpenAI itself has said about prompt injection — that it may never be fully solved, only reduced through faster patch cycles and layered defenses. That's not a great place for an entire product category to be starting from.

If you're building agents that touch a browser, the takeaway isn't "wait for a fix." It's: scope permissions as tight as the task allows, treat any content the agent reads as untrusted input, and don't hand it access to anything you wouldn't hand a stranger reading over your shoulder.

Sources: UW News, Mirage News

Frequently Asked Questions

Which AI browsers were found vulnerable in the UW study?

University of Washington researchers tested seven AI-powered browsers and found four — ChatGPT Atlas, Chrome with Gemini, Claude for Chrome, and Perplexity Comet — had conditions allowing attackers to bypass the same-origin policy and steal data across websites.

What is prompt injection in AI browsers?

A malicious webpage hides instructions in its content, sometimes invisible to the user. When an AI agent reads that page, it can follow the hidden instructions instead of the user's actual request — potentially accessing other tabs, emails, or accounts.

Was there a real exploit demonstrated, or just theoretical risk?

Researchers built a confirmed proof-of-concept attack against ChatGPT Atlas, where one embedded website stole data from another website inside it, similar to a malicious ad reaching into a user's email.

Which AI browser is safest according to the study?

Firefox AI Mode was rated safest in the study, largely because it grants AI agents the fewest permissions. Lower capability meant a smaller attack surface, though it's also the most limited browser tested.